Identity-based Hierarchical Designated Decryption *

Transcription

1 JOURNAL OF INFORMATION SCIENCE AND ENGINEERING 26, (200) Identity-baed Hierarchical Deignated Decryption * SHU-HUI CHANG, CHUAN-MING LI 2 AND TZONELIH HWANG 3 Center of General Education Southern Taiwan Univerity of Technology Tainan, 70 Taiwan 2 Department of Information Management Shu-Zen College of Medicine and Management Kaohiung, 82 Taiwan 3 Department of Computer Science and Information Engineering National Cheng Kung Univerity Tainan, 70 Taiwan Thi paper preent an identity-baed hierarchical deignated decryption (IHDD) cheme which allow a meage ender to generate ciphertext that can be decrypted by () only a pecified recipient or (2) a pecified recipient and all or ome of it ancetor uer in the hierarchy tree. The newly propoed cheme can be conidered a a combination of the hierarchical identity-baed encryption (HIBE) and the identity-baed multirecipient encryption cheme (ID-baed MRES). However, the purpoe and tructure of the propoed IHDD cheme are different from thoe of the HIBE and the ID-baed MRES. The propoed IHDD cheme ha low computation complexity, in which the decryption operation need only one bilinear pairing computation, and contant length private key wherein the length of uer private key i independent of the hierarchy depth. The ecurity of the propoed cheme i baed on the deciion bilinear Diffie-Hellman inverion aumption without uing random oracle. Keyword: data ecurity, hierarchical, identity-baed encryption, key ecrow, multi-recipient encryption. INTRODUCTION Shamir [5] introduced the firt identity-baed encryption (IBE) cheme to allow a uer to adopt an identity tring (e.g., an addre) a a public key in 984. The major advantage of IBE cheme i to implify the management of public key certificate. Extenion of IBE have ince been widely tudied [2, 4, 9,, 2]. Hierarchical IBE (HIBE), which reflect an organizational hierarchy, wa firt preented by Horwitz and Lynn [2]. In HIBE, identitie are vector. A vector of dimenion j denote an identity at depth j of the hierarchy tree. Many HIBE cheme had been propoed [2, 3,, 2]. Thee cheme poeed two important propertie: hierarchical acce to meage and decentralized key generation. The property of hierarchical acce to meage enable uer to decrypt all ciphertext ent to their ubordinate (decendant) in the hierarchy tree. The property of decentralized key generation allow an identity at depth j of the hierarchy tree to iue private key to it child node. Eentially, the HIBE i not meant to prevent uer from acceing ecret meage ent to their ubordinate. Thu, it i not uitable for the envi- Received June 20, 2008; revied December 2, 2008 & March 9, 2009; accepted Augut 3, Communicated by Wen-Guey Tzeng. * Thi reearch wa upported by the National Science Council of Taiwan, R.O.C., under the Contract No. NSC E

2 244 SHU-HUI CHANG, CHUAN-MING LI AND TZONELIH HWANG ronment which allow uer to protect their privacy from uperviion of their ancetor uer. In addition, the property of decentralized key generation alo may not be uitable in the centralized key ecrow environment. Let u conider the following application environment. An intelligence organization uually ha a key generation center (KGC) to generate the private key for all agent o that the property of centralized key ecrow i held. The organization i divided into everal ection. Each ection ha a upervior who can monitor the communication of hi ubordinate agent by decrypting the ciphertext ent to them without knowing their private key. However, the chief of the organization ometime require to end meage to ome pecified agent wherein the meage cannot be known by their upervior. Another example i in the repreentation of any company organized a a hierarchy tree, in which a computer center i fully reponible for the key generation for the company. A new employee obtain hi employee identity number and hi correponding private key directly from the computer center. To oberve an employee activity during working hour, a manager i authorized to acce encrypted ent to hi ubordinate without knowing their private key. However, the CEO (chief executive officer) may require to end meage which can only be decrypted by ome pecified employee rather than all their ancetor uer in the hierarchy tree. Obviouly, the exiting HIBE cheme cannot be directly applied to the above application environment due to the propertie of hierarchical acce to meage and decentralized key generation. Some exiting identity-baed cryptographic cheme, uch a identity-baed broadcat encryption cheme (ID-baed BES) [0, 4, 6] and identity-baed multi-recipient encryption cheme (ID-baed MRES) [], are propoed for the application environment which are imilar to the aforementioned one. In an ID-baed BES, a ender encrypt a eion key k and end it to a dynamically changing et of uer uch that only a privileged ubet of uer can decrypt it. With the eion key k, the ubequent broadcat can be ecured uing a conventional private-key cryptoytem, uch a DES. The IDbaed MRES propoed in [] allow a ender to encrypt a ingle meage for n pecified receiver with low computation complexity. Upon receiving the ciphertext, receiver i, for i =, 2,, n, can decrypt it uing it own private key. Although both ID-baed BES [0, 4, 6] and the ID-baed MRES [] allow the meage ender to encrypt and end a meage to a et of pecified receiver, they are not epecially deigned for an organizational hierarchy of uer. Thi paper aim to preent a cryptographic cheme, called identity-baed hierarchical deignated decryption (IHDD), for the requirement of electable hierarchical acce to meage and centralized key ecrow in the hierarchical environment. The electable hierarchical acce to meage i that a uer encrypt a meage and determine whether the decryption i allowed by () only a pecified receiver or (2) a pecified receiver and all or ome of it ancetor uer in the hierarchy tree. When a uer i allowed to decrypt the ciphertext ent to it ubordinate, it can perform the decryption operation with it own private key without knowing the private key of it ubordinate. The property of centralized key ecrow require all uer private key generated by the KGC rather than by their ancetor uer. We propoe an IHDD cheme baed on the bilinear pairing. The propoed cheme Centralized key ecrow i a ytem in which all cryptographic key needed to decrypt ciphertext are held in ecrow by a truted third party. It i ued to enure that the cryptographic key are controlled and backed up in cae they are lot by any uer due to a diater or maliciou intent.

3 IDENTITY-BASED HIERARCHICAL DESIGNATED DECRYPTION 245 can be conidered a a combination of Boneh and Boyen HIBE cheme [2] and Baek et al. ID-baed MRES []. However, the purpoe and tructure of our cheme are different from thoe of all the previou one. The propoed IHDD cheme ha the following advantage: () lower computation complexity: the decryption operation in the propoed cheme need only one bilinear pairing computation, while the decryption in the exiting HIBE cheme and the ID-baed MRES [] need at leat two uch computation, and (2) contant length of private key: each identity private key in the propoed cheme comprie two element, and it length i independent of the depth in the hierarchy tree; by contrat, the private key length in exiting HIBE depend on the hierarchy depth. To how the ecurity of the propoed IHDD cheme, a formal ecurity model i preented uing the elective-identity attack [2, 5]. The elective-identity (ID) attack, in which the adverary mut commit ahead of time to the identity that it intend to attack, i a lightly weaker ecurity notion than the full identity attack [4], in which the adverary i allowed to chooe the identity adaptively. The ID attack ha been widely adopted for deigning a ecurity proof model by the reearch community. In [7], Chatterjee and Sarkar indicated a technical difficulty in the ID attack, wherein the adverary ha to commit to identitie even before it know the et of identitie. More preciely, the identity pace i uually pecified by the etup algorithm of the cryptographic cheme. However, ince the actual etup ha not been done, there i no real adverary and hence no real target identity. Chatterjee and Sarkar [7] uggeted two poible olution to the difficulty. The firt olution i to allow the adverary to commit to binary tring and later when the etup program ha been executed, thee binary tring are mapped to identitie uing a colliion reitant hah function. Another olution i to run the etup program in two phae. In the firt phae, the identity pace i pecified and i made available to the adverary; then the adverary commit to the identitie that it intend to attack; and after obtaining the identitie the ret of the etup program i executed. Thi paper formally how that the propoed IHDD cheme i ecure againt ID adaptive choen-plaintext attack (i.e., ID-CPA-ecure ) baed on the deciion bilinear Diffie-Hellman inverion (deciion BDHI) aumption [2] in the tandard model (i.e., without the ue of random oracle). Roughly peaking, the deciion BDHI aumption ay that no efficient algorithm can ditinguih e(g, g) /x from random, given g, g x, g (x2),, g (xκ) for ome poitive integer κ. Moreover, a recent reult of Canetti et al. [6] give an efficient approach to contruct a CCA-ecure (i.e., ecure againt adaptive choen-ciphertext attack) public-key encryption cheme from any CPA-ecure identity-baed encryption cheme. Accordingly, the propoed ID-CPA-ecure IHDD cheme can alo be converted into an ID-CPA-ecure IHDD cheme baed on Canetti et al. approach [6]. The remainder of thi paper i organized a follow. Section 2 propoe the definition of ecurity for the IHDD cheme and review bilinear group and the deciion BDHI aumption. Section 3 propoe a pairing-baed IHDD cheme, and how it ecurity in the ID attack model without uing random oracle. A hort concluion i drawn in ection ID Secure IHDD Scheme 2. PRELIMINARIES Let l-ihdd cheme denote an IHDD cheme with the hierarchy tree of maximum

4 246 SHU-HUI CHANG, CHUAN-MING LI AND TZONELIH HWANG depth l. In the l-ihdd cheme, a vector of dimenion j repreent an identity at depth j of the hierarchy tree, e.g. ID j = (I,, I j ), j l. The ancetor of the identity ID j are the uer whoe identitie are ID i = (I,, I i ) for i < j and I a = I a for a i. Thu, the identity of an ancetor of the identity ID j i aid to be the prefix of ID j. Let S denote the et of all uer identitie in the hierarchy tree. Let the ymbol Choice-type denote that the ciphertext can be decrypted either by () only a pecified receiver (i.e., Choice-type = Member-choice ) or (2) a pecified receiver and all or ome of it ancetor uer in the hierarchy tree (i.e., Choice-type = Member-ancetor-choice ). Let the ymbol Choice denote the et of receiver choen by the meage ender, and Choice S. Therefore, if Choice-type = Member-choice, the Choice contain only an identity, while if Choice-type = Member-ancetor-choice, the Choice contain an identity of a pecified receiver and the indice of it ancetor uer choen by the meage ender. A in an HIBE cheme [2,, 2], the l-ihdd cheme i compoed of the following four algorithm: Setup, KeyGen, Encrypt, Decrypt. Setup: On input of the maximum depth l of the hierarchy tree, thi algorithm output the identity pace S, the ytem public parameter param and the mater ecret key mater-key. KeyGen: On input of the mater-key and a uer identity ID j S, thi algorithm output the uer private key d j. Encrypt: Thi algorithm take a input the param, Choice-type, Choice, and a meage M. It ue param and all identity ID * Choice to encrypt M and output a ciphertext C. Decrypt: Thi algorithm take a input the Choice-type, Choice, the private key d correponding to the identity ID * Choice and a ciphertext C. It output a plaintext M. The following game played between an adverary A and a challenger C formally define CCA ecurity of l-ihdd cheme in the ID attack model. Thi ecurity model can be conidered that the adverary want to decrypt a pecific ciphertext ent to a pecified receiver and it ancetor uer in the hierarchy tree. The adverary can be a regitered uer and i capable of obtaining the other uer private key except the uer in the Choice. Additionally, the adverary can collect meage exchanged between uer and can ak uer to decrypt any meage except the target ciphertext. The ecurity model adopt the olution uggeted by Chatterjee and Sarkar [7]. The etup algorithm i divided into two phae. In the firt phae, the identity pace S i pecified and i made available to the adverary. Then the adverary commit to the identitie that it intend to attack. After obtaining the identitie, the ret of the etup algorithm i executed. The game i decribed a follow. Setup_: The challenger C run the Setup algorithm. C give A the identity pace S of uer. Commit: The adverary A output a Choice-type, a et Choice and the identity ID * that it tend to attack, where ID * Choice. Setup_2: The challenger C continue to run the ret of the Setup algorithm. The C give A the reulting ytem parameter param and keep the mater-key to itelf.

5 IDENTITY-BASED HIERARCHICAL DESIGNATED DECRYPTION 247 Phae : A iue querie q,, q m where query q i i one of the following Private key query ID i, where ID i S and ID * Choice. C repond by running algorithm KeyGen to generate the private key d i correponding to the public key ID i and end d i to A. Decryption query C i for an identity ID * Choice. C repond by running algorithm KeyGen to generate the private key d correponding to ID * (or the relevant prefix a requeted). It then run algorithm Decrypt to decrypt the ciphertext C i by uing the private key d, and end the reulting plaintext to A. A may query C adaptively, that i, each query q i may depend on the replie to q,, q i-. Challenge: Once A decide that Phae i over it output two equal length plaintext M 0, M M on which it wihe to be challenged. C chooe a bit b {0, } at random and et the challenge ciphertext to C = Encrypt(param, Choice-type, -Choice, M b ). It end C a the challenge to the adverary A. Phae 2: A iue additional querie q m+,, q n where query q i i one of: Private key query ID i, where ID i Choice. The C repond a in Phae. Decryption query C i, where C i C for an identity ID * Choice. C repond a in Phae. Thee querie may be aked adaptively a in Phae. Gue: Finally, A output a gue b {0, }. A win if b = b. The adverary A i referred a an IND-ID-CCA adverary. The advantage of the adverary A in attacking the cheme E i defined a AdvE, A = Pr[ b = b ]. 2 The probability i over the random bit ued by the challenger and the adverary. Definition An l-ihdd cheme E i aid to be (t, q, q D, ε)-elective identity, adaptive choen ciphertext ecure if for any t-time IND-ID-CCA adverary A that make at mot q choen private key querie and at mot q D choen decryption querie we have that Adv E,A < ε. A horthand, we ay that E i (t, q, q D, ε)-ind-id-cca ecure. Semantic Security Like the decription in [2], the elective identity, choen plaintext ecurity for an l-ihdd cheme i defined a in the previou game, except that the adverary i not allowed to iue any decryption querie. The adverary may till iue adaptive private key querie. Thi ecurity notion i termed a IND-ID-CPA. Definition 2 An l-ihdd cheme E i aid to be (t, q, ε)-ind-id-cpa ecure if E i (t, q, 0, ε)-ind-id-cca ecure.

6 248 SHU-HUI CHANG, CHUAN-MING LI AND TZONELIH HWANG 2.2 Bilinear Group Thi ubection briefly review the neceary fact about bilinear map (bilinear pairing) and bilinear map group. We will follow the notation in [4]:. G and G are two (multiplicative) cyclic group of prime order p. 2. g i a generator of G. 3. e i a bilinear map e: G G G. Let G and G be two group a above. A bilinear map i a map e: G G G with the following propertie:. Bilinearity: for all u, v G and a, b Z, we have e(u a, v b ) = e(u, v) ab. 2. Non-degeneracy: e(g, g) G. If the group action in G can be computed efficiently and there exit a group G and an efficiently computable bilinear map e: G G G a above, then G i aid to be a bilinear group. Notice that e(, ) i ymmetric becaue e(g a, g b ) = e(g b, g a ) = e(g, g) ab. 2.3 Bilinear Diffie-Hellman (BDH) Aumption Let G be a bilinear group of prime order p. The BDH problem [2, 3] in G i a follow: given a tuple g, g a, g b, g c G a input, output e(g, g) abc G. An algorithm A ha advantage F in olving the deciion BDH problem in G if Pr[A(g, g a, g b, g c ) = e(g, g) abc ] ε, where the probability i over the random choice of generator g in G *, the random choice of a, b, c in Z p, and the random bit ued by A. Similarly, we ay that an algorithm B that output b {0, } ha advantage ε in olving the deciion BDH problem in G if Pr[B(g, g a, g b, g c, e(g, g) abc ) = ] Pr[B(g, g a, g b, g c, T) = ] ε, where the probability i over the random choice of generator g in G *, the random choice of a, b, c in Z p, the random choice of T G, and the random bit conumed by B. Definition 3 We ay that the (deciion) (t, ε)-bdh aumption hold in G if no t-time algorithm ha advantage at leat ε in olving the (deciion)-bdh problem in G. Occaionally we drop the t and ε and refer to the BDH and Deciion BDH aumption in G. 2.4 Bilinear Diffie-Hellman Inverion (BDHI) Aumption Let G be a bilinear group of prime order p, and let g be a generator of G. The κ-bdhi problem in the group G i defined a follow [2]: given the (κ + )-tuple (g, g x, g (x2),,

7 IDENTITY-BASED HIERARCHICAL DESIGNATED DECRYPTION 249 g (xκ) ) (G * ) κ+ a input, compute e(g, g) /x G *. An algorithm A ha advantage ε in olving κ-bdhi in G if Pr[A(g, g x,, g (xκ) ) = e(g, g) /x ] ε, where the probability i over the random choice of x in Z * p and the random bit of A. Similarly, we ay that an algorithm B that output b {0, } ha advantage F in olving the deciion κ-bdhi problem in G if Pr[B(g, g x,, g (xκ), e(g, g) /x ) = ] Pr[B(g, g x,, g (xκ), T) = ] ε, where the probability i over the random choice of x in Z * p, the random choice of T G *, and the random bit of B. Definition 4 We ay that the (deciion) (t, κ, ε)-bdhi aumption hold in G if no t-time algorithm ha advantage at leat ε in olving the (deciion) κ-bdhi problem in G. For conciene we ometime drop the t and ε and imply refer to κ-bdhi and deciion κ-bdhi aumption. It i eay to how that -BDHI aumption i equivalent to the tandard BDH aumption. It i not known if the κ-bdhi aumption, for κ > i equivalent to the BDH aumption [2]. Cheon [8] recently propoed an attack to the trong Diffie-Hellman (SDH) related problem. However, if the ecurity of a cryptographic cheme i baed on the variant of SDH problem, Cheon alo ugget to increae the key ize or ue a prime p uch that both p + and p have no mall divior greater than (log p) 2 to avoid the propoed attack in [8]. 3. AN IHDD SCHEME BASED ON THE DECISION BDHI ASSUMPTION 3. The Propoed Scheme Setup(l): On input of the maximum depth l of the hierarchy tree, an identity at depth j of the hierarchy tree i a vector of element in Z * p and denoted a ID j = (I,, I j ) (Z * p) j, j l. The et of all uer identitie in the hierarchy tree i denoted a S. The ymbol (i, i 2,, i k ) ancetor IDj denote the ubet of ID j ancetor in which i a repreent the ancetor at depth a of the hierarchy tree, a k < j. Let G, G, g and e be defined a the above ection. To generate ytem parameter for the l-ihdd cheme, the ytem (key generation center, KGC) elect different element x, y, y 2,, y l, z Z * p at random and define X = g x, Z = g z and Y i = g yi, i =, 2,, l. The public parameter param and the ecret key mater-key are given by param = (g, g x, g y, g y 2,, g y l, g z ) = (S, g, X, Y, Y 2,, Y l, Z), mater-key = (x, y, y 2,, y l, z). KeyGen(mater-key, ID j ): To generate the private key d j for an identity ID j S and ID j = (I,, I j ) (Z * p) j of depth j l, the KGC chooe a number r j Z * p at random and cal-

8 250 SHU-HUI CHANG, CHUAN-MING LI AND TZONELIH HWANG culate x rj( Iy I2y2 L Ijyj j z) K = g G, j where x + r j (I y + I 2 y I j y j + j z) 0 (mod p). The KGC output (r j, K j ) a the private key d j for ID j. Notice that d j mut be ent to ID j uing a ecure communication channel. Encrypt(param, Choice-type, Choice, M): To encrypt a meage M G under the Choice-type and the et Choice,. If Choice-type = Member-choice, Choice = {ID j } where ID j S and ID j = (I, I 2,, I j ) (Z * p) j, then the ender chooe a number Z * p at random and output a ciphertext I I I j 2 j C = L G G G 2 j ( X,( Y Y Y Z ), e( g, g) M). 2. If Choice-type = Member-ancetor-choice and Choice = {ID j } (i, i 2,, i k ) ancetor IDj where ID j S and ID j = (I,, I j ) (Z * p) j and i < i 2 < < i k < j, then the ender chooe a number Z * p at random and output a ciphertext I I2 I i i Ii + I i2 i2 i I i I k+ i k+ ik+ ik 2 i i+ i2 ik+ ik+ C = ( X,( Y Y LY Z ),( Y LY Z ), L,( Y LY Z ), k+ 2 G eg (, g) M) ( G ) where i k+ = j. (To implify the expreion, we ue i k+ to repreent j, i.e., ID ik+ = ID j ) Notice that the e(g, g) can be precomputed once and for all o that encryption doe not require any pairing computation. Decrypt(Choice-type, Choice, C): To decrypt a ciphertext C encrypted under the Choicetype and the et Choice,. If Choice-type = Member-choice, Choice = {ID j } where ID j S and ID j = (I,, I j ) (Z * p) j and C = (A, B, C), the receiver ID j ue the private key d = (r j, K j ) to output M = C/e(A B rj, K j ) G. Indeed, for a valid ciphertext, we have C e( g, g) M e( g, g) M = = = M. j 2 2 j j j eab (, K) eg (, K) r x+ ( I y + I y + L+ I y + jz) r egg (, ) j j 2. If Choice-type = Member-ancetor-choice and Choice = {ID j } (i, i 2,, i k ) ancetor IDj where ID j S and ID j = (I,, I j ) (Z * p) j and C = (A, B, B 2,, B k+, C), the

9 IDENTITY-BASED HIERARCHICAL DESIGNATED DECRYPTION 25 receiver ID iτ ue the private key d = (r iτ, K iτ ) to output M = C/( e A ( B B K B ), K i ) G τ 2 τ τ r i where ID iτ Choice, ID iτ = (I,, I iτ ), τ k + and i k+ = j. Indeed, for a valid ciphertext, we have C e( g, g) M e( g, g) M = = = M. ea ( ( B B K B), K ) eg (, K ) 2 τ ri x+ ( Iy+ I2y2+ K+ Ii yi + iτ z) ri τ eg (, g) i τ τ τ τ iτ Performance In the propoed l-ihdd cheme, the ciphertext given to an identity at level j can alo be decrypted by ome of it ancetor identitie elected by the ender. In term of efficiency, the decryption in the propoed l-ihdd cheme require only one pairing computation, a oppoed to at leat two pairing computation in the previou HIBE cheme [2, 3] and the ID-baed MRES []. Since e(g, g) can be precomputed and known by all identitie, the propoed l-ihdd cheme and the above related work do not require any pairing computation during the encryption operation. Although in the l-ihdd cheme the length of the ciphertext i varied depending on the number of the receiver, the private key of each uer conit of only two element and the length i independent of the hierarchy depth, wherea in previou HIBE cheme the length of the private key i varied depending on the hierarchy depth. We ummarize the above comparion in Table. Table. The comparion between the propoed l-ihdd cheme and ome related encryption. HIBE in [2] HIBE in [3] ID-baed Our l-ihdd MRES in [] cheme pairing required by decryption j pairing required by encryption the length of the private key varied varied contant ize contant ize the length of the ciphertext varied contant ize varied varied electable hierarchical acce no no ye ye centralized key ecrow no no ye ye j denote the depth of the pecified receiver in the hierarchy tree. 3.2 Security Analyi By adapting the proof technique propoed in [2], the propoed l-ihdd cheme i firt hown to be elective identity, choen plaintext (IND-ID-CPA) ecure under the deciion κ-bdhi aumption without uing random oracle. The decription that how to achieve elective identity, choen ciphertext ecurity (IND-ID-CCA) and how to handle arbitrary identitie are then given. Theorem Suppoe the (t, κ, ε)-deciion BDHI aumption hold in G. Then the propoed l-ihdd cheme i (t, q, ε )-elective identity, choen plaintext (IND ID CPA)

10 252 SHU-HUI CHANG, CHUAN-MING LI AND TZONELIH HWANG q ecure for any depth l, any q < κ, ε ε + and t t Θ((l + q )t ), where t i the p maximum time for an exponentiation in G. Proof: Suppoe that A make q private key querie and ha advantage ε in attacking the propoed l-ihdd cheme. Algorithm B will ue A to olve the deciion κ-bdhi problem in G. Given (g, g α, g (α2),, g (ακ), T) (G * ) κ+ G * for ome unknown α Z * p, with a game, B will determine whether T i equal to e(g, g) /α or not. The output i if T = e(g, g) /α, otherwie the output i 0. B interact with A in a game a follow. Preparation Algorithm B produce a generator h G * and κ pair of the form (w i, h /(α+wi) ) for different random number w, w 2,, w κ- Z * p a following tep:. Chooe random number w, w 2,, w κ- Z * p and let f ( z ) = κ ( z+ w ) i= i be a poly- i nomial function of degree κ. Expand the term of f into f(z) = κ cz. i= 0 i The contant term c 0 i non-zero. 2. Ue value (g, g α, g (α2),, g (ακ) ) to compute κ ( ) ( ) ( ) ( ) ( i i α ci f α α ci α f α α ) and ( ). h = g = g u = g = g = h i= 0 i= κ 3. Check that h G *. If h = G in G, it would mean that w i = α for ome w i. Then B would be able to olve the challenge directly. We thu aume that all w i α. 4. To contruct the pair (w i, h /(α+wi) ) for i =, 2,, κ, B take f i (z) = f(z)/(z + w i ) and calculate κ 2 i /( α+ w ) f ( α) ( α ) cˆ i i i h g ( g ), = = i= 0 where c ˆi i the coefficient of the polynomial f i (z). κ i 5. Let f ( z) + c = c z, where c 0 = 2c 0 and c i = c i for i =, 2,, κ. B compute h 2 ( c0 ) T = T T 0 i= 0 i 0, κ κ 2 i j ( α ) ( α ) cc + f ( α ) + c [ f ( α) c ]/ α Oberve that if 0 0 where T 0 (, ) i j = e g g = e( g, g ). i= 0 j= 0 T = e(g, g) /α, then T h = e(g f(α)/α, g f(α) ) = e(h, h) /α. The value h, u, T h and the pair (w i, h /(α+wi) ) for i =, 2,, κ will be ued throughout the imulation. Setup : On input of the maximum depth l of the hierarchy tree, an identity at depth j of the hierarchy tree i a vector of element in Z * p and denoted a ID j = (I,, I j ) (Z * p) j, j l. B give A the et S of all uer identitie in the hierarchy tree.

11 IDENTITY-BASED HIERARCHICAL DESIGNATED DECRYPTION 253 Commit: A output a Choice-type, a et Choice and an identity ID *, where ID * S and ID * = (I *, I * 2,, I * n) (Z * p) n Choice of depth n l that it tend to attack. Setup 2: B append l n unit element to ID * uch that ID * = (I *, I * 2,, I * n,,,, ) i a vector of length l if neceary. The ID * can be denoted a ID * = (I *, I * 2,, I * l). B generate the ytem parameter param = (h, X, Y,, Y l, Z) a follow. Cae : If Choice-type = Member-choice and Choice = {ID * }, then B run the following tep:. Chooe different number a, a 2,, a l, b Z * p at random. 2. Compute X = u = h α, Y i = h ai b ( ai + a2i2+ L+ anin) n for any i =, 2,, l, and Z = ( uh ). We implicitly define the mater key x = α, y i = a i and z = n - [bα (a I * + a 2 I * a n I * n)] o that X = h x, Y i = h yi, and Z = h z. 3. Publih the public parameter param = (h, X, Y, Y 2,, Y l, Z). Note that X, Y, Y 2,, Y l, Z are independent of ID * in the adverary view. 4. Let an integer β be ued to count the pair (w i, h /(α+wi) ) which had been ued in the imulation. Set the initial value β = 0. Cae 2: If Choice-type = Member-ancetor-choice and Choice = {ID j } (i, i 2,, i k ) ancetor IDj, then B run the following tep:. Chooe different number a, a 2,, a l, b Z * p at random. 2. Compute X = u = h α, Z = h b, Y i = h ai for any i {, 2,, l}\{i, i 2,, i k, n}, and Y iτ = ( i i ) b iτ j i I a τ τ j a j ( I i) τ = τ + τ ( u h ) for any i τ {i, i 2,, i k, n}. We implicitly define the mater key x = α, z = b, y i = a i and y iτ = ( I ) [ a ( i i ) b i τ α I a ] for i i τ τ j= i + j j τ τ τ any i {, 2,, l}\{i, i 2,, i k, n} and i τ {i, i 2,, i k, n} o that X = h x, Y i = h yi, and Z = h z. 3. Publih the public parameter param = (h, X, Y, Y 2,, Y l, Z). Note that X, Y, Y 2,, Y l, Z are independent of ID * in the adverary view. 4. Let an integer β be ued to count the pair (w i, h /(α+wi) ) which had been ued in the imulation. Set the initial value β = 0. Phae : A requet at mot q, q < κ, private key querie. Cae : If Choice-type = Member-choice, B conider a private key query correponding to it ID = (I,, I ) (Z * p), where l, ID S and ID ID *. Algorithm B repond the private key query by performing the following tep:. Set β = β Let (w β, h /(α+w β ) ) be the βth pair produced in the preparation tep. Define h β = h /(α+w β ). 3. B derive a private key for the identity ID = (I, I 2,, I ) a follow: (a) Contruct an r (Z * p) atifying the equation

12 254 SHU-HUI CHANG, CHUAN-MING LI AND TZONELIH HWANG ( + r n b)( α + wβ) = x+ r z+ Iiyi. i= Let x = α, y i = a i and z = n [bα (a I * + a 2 I * a n I * n)], we can get r w = Z Ia n I a n bw β n i i i = i= i i (b) If r = /(n - b), it implie x+ r ( z+ I ) 0. i iy = i = B return failure and abort thi game. (Thi incident i denoted a a Failure event.) (c) Otherwie, compute β p. h /( + r n b) /[ x r ( z I )] i iy + + = i β = h. Since w β i uniform in Z * p\{ α} and i currently independent of A view, then r i uniformly ditributed among all element in Z * p for which x+ r z+ Iiyi r n b i= 0 and / ( ). Therefore, the private key i private key. /( + r n b) β ( r, h ) for ID = (I,, I ). B give A the Cae 2: If Choice-type = Member-ancetor-choice, B conider a private key query correponding to it ID = (I, I 2,, I ) (Z * p) where l and ID Choice (= {ID * } (i, i 2,, i k ) ancetor ID * ). Before B run the following tep, B append l element to ID uch that ID = (I, I 2,, I, 0,, 0) i a vector of length l. Algorithm B repond the private key query by running:. Set β = β Let (w β, h /(α+w β ) ) be the βth pair produced in the preparation tep. Define h β = h /(α+w β ). 3. B derive a private key for the identity ID = (I, I 2,, I, 0,, 0) a follow. (a) Contruct an r Z * p atifying the following equation + r Ii ( Ii ) ai ( α + w ) x r z Iiy τ τ τ β = + + i iτ { i, i2, L, ik, n} i= l = x+ r z+ Iiyi. i= Let x = α, z = b, y i = a i for any i {, 2,, l}\{i, i 2,, i k, n}, and y iτ = ( I ) [ a iτ τ j= i + j α ( i i ) b I a ] for any i {i, i 2,, i k, n}, we can get τ τ j iτ iτ

13 IDENTITY-BASED HIERARCHICAL DESIGNATED DECRYPTION 255 r wβ =, b+ I a Δ i i i {, L, l}\{ i, L, i, n} k where Δ= ( ) + ( ) +. (b) If r = / ( I ( I ) a ), L i I i I i w a i i i b τ I j a τ τ β τ τ τ j iτ { i, L, ik, n} j= iτ + i { i, i,, i, n} iτ iτ i it implie τ τ 2 i= i i x+ r ( z+ I y ) = 0. k B return failure and abort thi game. (Thi incident i denoted a a Failure event.) (c) Otherwie, compute r i { i, i2,, i, n} Ii Ii a k i x r z τ L τ τ τ i= I i y i /( + ( ) ) /[ + h ( + )]. β = h Since w β i uniform in Z * p \{ α} and i currently independent of A view, then r i uniformly ditributed among all element in Z * p for which x+ r z+ I y 0 and r / I ( I ) a. i i iτ iτ iτ i= iτ { i, i2, L, ik, n} {,,,, } Therefore, the private key i /( + (, r i i ( ) ) i 2 i k n I i I i a τ L τ τ iτ r hβ ) I ). B give A the private key. for ID = (I, I 2,, Challenge: A output two meage M 0, M G. B chooe a bit b {0, } and a number ρ Z * p at random.. If Choice-type = Member-choice, then it repond with the ciphertext C = (h ρ, h bρ, T ρ M ). Define = ρ/α. On the one hand, if T h = e(h, h) /α, then we have h ρ b α h = h = X, bρ bα I y+ I2y2+ L+ Inyn+ nz I In n = = = L n ρ ρ/ α h = (, ) = (, ). h ( h ) ( h ) ( Y Y Z ), T e h h e h h 2. If Choice-type = Member-ancetor-choice, it repond with the ciphertext ρ a ρ a ρ i i2 ik + ( h, h, h,, h, T M ), a ρ ρ h C = L where i k+ = n. Define = ρ/α. On the one hand, if T h = e(h, h) /α, then we have b

14 256 SHU-HUI CHANG, CHUAN-MING LI AND TZONELIH HWANG ρ α h = h = X, iτ ( ) i ρ i α iτ i z I j i jy τ + j Ii I τ τ = τ + τ + iτ τ τ iτ + iτ h = ( h ) = ( h ) = ( Y... Y Z ), i =, τ k+, ρ/ α T = e( h, h) = e( h, h). a a i i ρ h It follow that C i a valid encryption of M b under ID * = (I *, I * 2,, I * n), with the uniformly ditributed randomization value = ρ/α Z * p. On the other hand, when T h i uniform in G \{T 0 }, then C i independent of the bit b in the adverary view. Phae 2: A requet more private key querie, for a total of at mot q < κ. Algorithm B repond a that in Phae. Gue: Finally, A output a gue b {0, }. If b = b, then B output meaning T = e(g, g) /α. Otherwie, it output 0 meaning T e(g, g) /α. When the input T atifie T = e(g, g) /α, it implie T h = e(h, h) /α in which cae A ha the probability Pr[b = b ] /2 > ε. On the other hand, when T i uniform and independent in G *, T h i uniform and independent in G \{T 0 } in which cae Pr[b = b ] = /2. Since the probability that A output b with b = b i at leat + ε and the Failure event q 2 happen with the probability at mot p, the probability that B output in cae of T = e(g, g) /α i at leat q + ε. 2 p Therefore, when x = α i uniform in Z * p and T i uniform in G * we have that 0 2 κ 2 κ α ( α ) ( α ) / α α ( α ) ( α ) ε = Pr[ B( gg,, g, L, g, egg (, ) ) = ] Pr[ B( gg,, g, L, g, T) = ] q q + ε ε 2 p = 2 p a required. Thi complete the proof of the theorem. 3.3 The Contruction of ID-CCA-ecure IHDD Scheme Canetti et al. [6] recently preented an efficient approach to contruct a CCA-ecure public-key encryption cheme from an IBE cheme. Their approach i briefly decribed a follow [6]. The public key of the new cheme i the mater public key PK of the IBE cheme and the ecret key i the correponding mater ecret key. To encrypt a meage with repect to a public key PK, the ender firt generate a key-pair (vk, k) for a trong one-time ignature cheme 2, and then encrypt the meage with repect to the identity vk. The reulting ciphertext C i then igned uing k to obtain a ignature σ. The final ciphertext conit of the verification key vk, the IBE ciphertext C and the ignature σ. To decrypt a ciphertext (vk, C, σ), the receiver firt verifie the ignature on C with repect to vk (and output invalid if the verification fail). The receiver then derive the ecret key SK vk correponding to the identity vk, and ue SK vk to decrypt the ciphertext C a per the 2 A trong ignature cheme ha the property that it i infeaible to create even a different ignature on the ame meage.

15 IDENTITY-BASED HIERARCHICAL DESIGNATED DECRYPTION 257 underlying IBE cheme. Canetti et al. [5, 6] extended the above approach to obtain a imple converion from any CPA-ecure binary tree encryption (BTE) cheme to a CCAecure HIBE. Accordingly, the propoed l-ihdd cheme can alo be extended to an IND-ID-CCA ecure l-ihdd cheme uing Canetti et al. approach [6]. Furthermore, we can extend the propoed l-ihdd cheme to handle arbitrary identitie ID l = (I, I 2,, I l ) with I j {0, } * (a oppoed to I j (Z * p) by firt hahing each I j uing a colliion reitant hah function H: {0, } * Z * p in the key generation and encryption algorithm. A tandard argument how that if the original l-ihdd cheme i IND-ID-CCA ecure, then o i the l-ihdd cheme with the additional colliion reitant hah function. 4. CONCLUSION Thi paper ha propoed a pairing-baed l-ihdd cheme. The propoed cheme allow an encrypted meage to be decrypted either by a pecified identity or by a pecified identity and all or ome of it ancetor identitie in the hierarchy tree. The private key of an identity contain only two element that are generated by a KGC, rather than by it parent identity. The propoed l-ihdd cheme ha low computation complexity in which the decryption operation need only one bilinear pairing computation and the encryption operation need no pairing computation. We have hown that the propoed cheme i IND-ID-CPA ecure in the tandard model under deciion BDHI aumption. In addition, the IND-ID-CPA ecure l-ihdd cheme can be converted into an IND-ID- CCA ecure l-ihdd cheme baed on the contruction method propoed by Canetti et al. [6]. However, how to contruct an l-ihdd cheme baed on other ecurity aumption, and even with a lower computation complexity than the propoed one, could be an intereting topic of future reearch. In addition, although the private key of each uer conit of only two element and the length i independent of the hierarchy depth in the propoed cheme, the length of the ciphertext i varied depending on the number of the receiver. Thu, how to contruct an l-ihdd cheme with contant ize ciphertext would alo be an intereting topic of future reearch. ACKNOLEDGMENT The author would like to thank the editor and the anonymou reviewer for their very helpful and valuable comment to enhance the clarity of the manucript. REFERENCES. J. Baek, R. Safavi-Naini, and W. Suilo, Efficient multi-receiver identity-baed encryption and it application to broadcat encryption, in Proceeding of Public Key Cryptography, LNCS 3386, 2005, pp D. Boneh and X. Boyen, Efficient elective-id identity baed encryption without random oracle, in Proceeding of Advance in Cryptology Eurocrypt, LNCS 3027, 2004, pp D. Boneh, X. Boyen, and E. Goh, Hierarchical identity baed encryption with con-

16 258 SHU-HUI CHANG, CHUAN-MING LI AND TZONELIH HWANG tant ize ciphertext, in Proceeding of Advance in Cryptology Eurocrypt, LNCS 3494, 2005, pp D. Boneh and M. Franklin, Identity-baed encryption from the Weil pairing, in Proceeding of Advance in Cryptology Crypto, LNCS 239, 200, pp R. Canetti, S. Halevi, and J. Katz, A forward-ecure public-key encryption cheme, in Proceeding of Advance in Cryptology Eurocrypt, LNCS 2656, 2003, pp R. Canetti, S. Halevi, and J. Katz, Choen-ciphertext ecurity from identity-baed encryption, in Proceeding of Advance in cryptology Eurocrypt, LNCS 3027, 2004, pp S. Chatterjee and P. Sarkar, Generalization of the elective-id ecurity model for HIBE protocol, in Proceeding of Public Key Cryptography, LNCS 3958, 2006, pp J. H. Cheon, Security analyi of the trong Diffie-Hellman problem, in Proceeding of Advance in Cryptology Eurocrypt, LNCS 4004, 2006, pp C. Cock, An identity baed encryption baed on quadratic reidue, in Proceeding of the 8th IMA International Conference on Cryptography and Coding, LNCS 2260, 2002, pp X. Du, Y. Wang, J. Ge, and Y. Wang, An ID-baed broadcat encryption cheme for key ditribution, IEEE Tranaction on Broadcating, Vol. 5, 2005, pp C. Gentry and A. Silverberg, Hierarchical ID-baed cryptography, in Proceeding of Advance in Cryptology, LNCS 250, 2002, pp J. Horwitz and B. Lynn, Toward hierarchical identity-baed encryption, in Proceeding of Advance in Cryptology Eurocrypt, LNCS 2332, 2002, pp A. Joux, A one round protocol for tripartite Diffiie-Hellman, in Proceeding of the 4th International Sympoium on Algorithmic Number Theory, LNCS 838, 2000, pp J. W. Lee, Y. H. Hwang, and P. J. Lee, Efficient pubic key broadcat encryption uing identifier of receiver, in Proceeding of Information Security Practice and Experience: Second International Conference, LNCS 3909, 2006, pp A. Shamir, Identity-baed cryptoytem and ignature cheme, in Proceeding of Advance in Cryptolog, LNCS 96, 984, pp C. Yang, X. Cheng, W. Ma, and X. Wang, A new ID-baed broadcat encryption cheme, in Proceeding of Autonomic and Truted Computing, LNCS 458, 2006, pp Shu-Hui Chang ( ) received her B.S. degree in Applied Mathematic from National Cheng Kung Univerity, Taiwan, in 984, and her M.S. degree in Applied Mathematic from National Cheng Kung Univerity, Taiwan, in 988. She work a an intructor in Center for General Education, Southern Taiwan Univerity. Her reearch interet include cryptography, information ecurity.

17 IDENTITY-BASED HIERARCHICAL DESIGNATED DECRYPTION 259 Chuan-Ming Li ( ) received the M.S. and Ph.D. degree in Computer Science from National Cheng Kung Univerity in 994 and 2008, repectively. He i currently an aitant profeor in the Department of Information Management, Shu- Zen College of Medicine and Management, Kaohiung, Taiwan. Hi reearch interet focu on data ecurity and cryptography. More recently hi reearch interet include the tudy of quantum cryptography. Tzonelih Hwang ( ) received the undergraduate degree from National Cheng Kung Univerity in 980, and the M.S. and Ph.D. degree in computer cience from the Univerity of Southwetern, Louiiana, in 988. He i currently a profeor in the Department of Computer Science and Information Engineering, National Cheng Kung Univerity. Hi reearch interet include cryptology, network ecurity, and coding theory.