• PDF / 1,001,025 Bytes
• 37 Pages / 439.37 x 666.142 pts Page_size
• 21 Downloads / 166 Views

DOWNLOAD

REPORT

Friedrich-Alexander-University Erlangen-N¨ urnberg, N¨ urnberg, Germany [email protected] 2 University of California, Berkeley, USA

Abstract. Starting with any selectively secure identity-based encryption (IBE) scheme, we give generic constructions of fully secure IBE and selectively secure hierarchical IBE (HIBE) schemes. Our HIBE scheme allows for delegation arbitrarily many times.

1

Introduction

Identity-based encryption schemes [Sha84,Coc01,BF01] (IBE) are public key encryption schemes [DH76,RSA78] for which arbitrary strings can serve as valid public keys, given short public parameters. Additionally, in such a system, given the master secret key corresponding to the public parameters, one can efficiently compute secret keys corresponding to any string id. A popular use case for this type of encryption is certificate management for encrypted email: A sender Alice can send an encrypted email to Bob at [email protected] by just using the string “[email protected]” and the public parameters to encrypt the message. Bob can decrypt the email using a secret-key corresponding to “[email protected]” which he can obtain from the setup authority that holds the master secret key corresponding to the public parameters. Two main security notions for IBE have been considered in the literature— selective security and full security. In the selective security experiment of identity-based encryption [CHK04], the adversary is allowed to first choose a challenge identity and may then obtain the public parameters and the identity secret keys for identities different from the challenge identity. The adversary’s goal is to distinguish messages encrypted under the challenge identity, for which he is not allowed to obtain a secret key. On the other hand, in the fully secure notion [BF01], the (adversarial) choice of the challenge identity may depend arbitrarily on the public parameters. That is, the adversary may choose the challenge identity after seeing the public parameters and any number of identity secret keys of its choice. It is straightforward to see that any scheme that features Research supported in part from AFOSR YIP Award, DARPA/ARL SAFEWARE Award W911NF15C0210, AFOSR Award FA9550-15-1-0274, NSF CRII Award 1464397, and research grants by the Okawa Foundation, Visa Inc., and Center for Long-Term Cybersecurity (CLTC, UC Berkeley). The views expressed are those of the author and do not reflect the official policy or position of the funding agencies. c International Association for Cryptologic Research 2017  Y. Kalai and L. Reyzin (Eds.): TCC 2017, Part I, LNCS 10677, pp. 372–408, 2017. https://doi.org/10.1007/978-3-319-70500-2_13

From Selective IBE to Full IBE and Selective HIBE

373

full security is also selectively secure. On the other hand, example IBE schemes that are selectively secure but trivially insecure in the full security sense can be constructed without significant effort. The first IBE scheme was realized by Boneh and Franklin [BF01] based on bilinear maps. Soon after, Cocks [Coc01] provided the first IBE scheme based on quadra

Recommend Documents

Anonymous IBE from Quadratic Residuosity with Fast Encryption

146 21 23MB

Advances in Fire Safety Engineering Selected Papers from the 5th Ibe

164 77 23MB

Efficient IBE with Tight Reduction to Standard Assumption in the Multi-challenge Setting

155 81 32MB

GaN: From Selective Area to Epitaxial Lateral Overgrowth

184 35 685KB

Selective Attention

165 103 5MB

Selective Opening Security from Simulatable Data Encapsulation

188 88 32MB

Selective Extraction of Zinc from Zinc Ferrite

197 59 1MB

Molecular Modeling of Selective Adsorption from Mixtures

184 10 851KB

GaN: From Selective Area to Epitaxial Lateral Overgrowth

209 4 2MB

Selective Pesticide

188 20 122KB

Lattice-Based IBE with Equality Test Supporting Flexible Authorization in the Standard Model

133 20 32MB

Selective Reduction of Iron and Phosphorus from Oolitic Ore

183 57 1MB