1. ID-Based Encryption for Complex Hierarchies with Applications to Forward Security and Broadcast Encryption Danfeng Yao Nelly Fazio Brown University New York University Yevgeniy Dodis Anna Lysyanskaya New York University Brown University

2. Identity-based Encryption (IBE) and Hierarchical IBE (HIBE) Private Key S Bob@Brown Register as Bob@Brown  params, secret s  Ciphertext C = (M, Bob@Brown, params)Bob@ Bob Math Alice School CS ss  IBE [Shamir 84] [Boneh Frankline 01] [Cocks 01] [Canetti Halevi Katz 03] [Boneh Boyen 04] [Waters 04]  HIBE [Horwitz Lynn 02] [Gentry Silverberg 02] [Boneh Boyen 04] PKG

3. Why need forward-secure HIBE?  In HIBE, exposure of parent private keys compromises children’s keys  Forward-secure HIBE mitigates key exposure  Forward security [Gunther 89] [Diffie Oorschot Wiener 92] [Anderson 97] [Bellare Miner 99] [Abdalla Reyzin 00] [Malkin Micciancio Miner 02] [Canetti Halevi Katz 03] [Gunther 89] [Diffie Oorschot Wiener 92] [Anderson 97] [Bellare Miner 99] [Abdalla Reyzin 00] [Malkin Micciancio Miner 02] [Canetti Halevi Katz 03] Secret keys are evolved with time Secret keys are evolved with time Compromising current key does NOT compromise past communications Compromising current key does NOT compromise past communications Bob Math Alice School CS ss Time Safe Compromise

4. Applications of fs-HIBE  Forward-secure public-key broadcast encryption (fs-BE) BE schemes: [Fiat Naor 93] [Luby Staddon 98] [Garay Staddon Wool 00] [Naor Naor Lotspiech 01] [Halevy Shamir 02] [Kim Hwang Lee 03] [Goodrich Sun Tamassia 04] [Gentry Ramzan 04] BE schemes: [Fiat Naor 93] [Luby Staddon 98] [Garay Staddon Wool 00] [Naor Naor Lotspiech 01] [Halevy Shamir 02] [Kim Hwang Lee 03] [Goodrich Sun Tamassia 04] [Gentry Ramzan 04] HIBE is used in public-key broadcast encryption [Dodis Fazio 02] HIBE is used in public-key broadcast encryption [Dodis Fazio 02] Forward security is especially important in BE Forward security is especially important in BE  Multiple HIBE: Encryption scheme for users with multiple roles Time SafeKey compromised

5. Hierarchical IBE Root setup Lower-level setup S Bob S Math S CS Params, S School Encrypt (bob@cs.school)bob@cs.s Decrypt(S Bob )  HIBE [Horwitz Lynn 02] [Gentry Silverberg 02] [Boneh Boyen 04] (School, Math)(School, CS) (School, CS, Bob)

6. Forward-secure Public-Key Encryption  fs-PKE (Canetti, Halevi, and Katz 2003) Used to protect the private key of one user Used to protect the private key of one user Based on Gentry-Silverberg HIBE Based on Gentry-Silverberg HIBE A time period is a binary string A time period is a binary string Private key contains decryption key and future secrets Private key contains decryption key and future secrets Erase past secrets in algorithm Update Erase past secrets in algorithm Update secret s  Total time periods: 4 Period 1: (0 0) Period 2: (0 1) Period 3: (1 0) Period 4: (1 1) Encrypt(0 0) 0 0 0 1 1  1 S (School,00)

7. fs-HIBE requirements  Dynamic joins Users can join at any time Users can join at any time  Joining-time obliviousness  Collusion resistance  Security  Do naïve combinations of fs-PKE and HIBE work? John Eve Bob School Alice Math CS User 1User 2

8.  Each entity node maintains one tree For computing children’s private keys For computing children’s private keys For the forward security of itself For the forward security of itself  Not joining-time-oblivious CS joins at (0 1) with public key (School, 0, 1, CS) CS joins at (0 1) with public key (School, 0, 1, CS) Bob joins at (1 0) with public key (School, 0, 1, CS, 1, 0, Bob) Bob joins at (1 0) with public key (School, 0, 1, CS, 1, 0, Bob) Sender needs to know when CS and Bob joined Sender needs to know when CS and Bob joined School 01 0 1 CS Bob An fs-HIBE attempt 01 1 0 1 0 1 0

9. Another fs-HIBE attempt  Each node maintains two subtrees Left subtree for forward security and right subtree for adding children Left subtree for forward security and right subtree for adding children  Does not work either  01 01  School  CS  01 Math Bob 01 0101

10. Overview of our fs-HIBE scheme  Based on HIBE [Gentry Silverberg 02] and fs-PKE (Canetti Halevi Katz 03] schemes  Scalable, efficient, and provable secure Forward security Forward security Dynamic joins Dynamic joins Joining-time obliviousness Joining-time obliviousness Collusion resistance Collusion resistance  Security based on Bilinear Diffie-Hellman assumption [BF 01] and random oracle model [Bellare Rogaway 93] Chosen-ciphertext secure against adaptive-chosen-(ID-tuple, time) adversary Chosen-ciphertext secure against adaptive-chosen-(ID-tuple, time) adversary

11. fs-HIBE algorithm definitions Root setup (t = 0 0)Encrypt (bob@cs.brown, 28.Oct.2004)bob@cs.brown Decrypt(S Bob, 28.Oct.2004 ) Lower-level setup Update S Bob, t’ S Math, t S CS, t S School, 00

12. fs-HIBE Root setup  Similar to key derivation of fs-PKE  Private key for time (0 0) contains decryption key for (0 0), and future secrets  Generates params, decryption key, and future secrets S (School,00) 0 0 0 1 1  1 an intermediate secret decryption key for time (0 0) secrets for future keys || String concatenation + Group addition operation  Group multiplication operation Pick random secrets s  and s’ = s   H (0 || School) = s   H (1 || School) = + s’  H (0 0 || School) = + s’  H (0 1 || School) Erase, s  and s’ Random secret s 

13. fs-HIBE algorithms cont’d  Lower-level setup is used by a node at time t to compute keys for its children Similar to Root setup Similar to Root setup Computes both decryption key Computes both decryption key at time t, and future secrets  Update Similar as in fs-PKE Similar as in fs-PKE  Encrypt With time (0 0) and ID-tuple (School, CS, Bob) With time (0 0) and ID-tuple (School, CS, Bob)  Decrypt Decryption key is used Decryption key is used School Intermediate secrets 0 0 Suppose CS and Bob join at time period (0 0). BobCS School CS Bob 0 0 Components of ciphertext Intermediate

14. HIBE in broadcast encryption Valid user Revoked user Center

15. Forward-secure broadcast encryption  Public-key BE by Dodis and Fazio Uses HIBE to implement a subset-cover framework [Naor Naor Lotspiech 01] Uses HIBE to implement a subset-cover framework [Naor Naor Lotspiech 01]  A scalable fs-BE scheme Dynamic joins and joining-time obliviousness Dynamic joins and joining-time obliviousness Users update secret keys autonomously Users update secret keys autonomously  Algorithms: KeyGen, Reg, Upd, Enc, Dec KeyGen (t = 0) S Center,0 Update Want to join at t S u, t Reg Enc(M, t) Dec( S u, t )

16. Security of fs-HIBE  “Security definitions” Secure for past communications of compromised nodes Secure for past communications of compromised nodes Secure for ancestor nodes Secure for ancestor nodes Secure for sibling nodes Secure for sibling nodes  Security based on hardness of BDH problem and random oracle model  Theorem Suppose there is an adaptive adversary A  : advantage against one-way secure fs-HIBE  : advantage against one-way secure fs-HIBE h: level of some target ID-tuple h: level of some target ID-tuple l = log 2 N and N is the total number of time periods l = log 2 N and N is the total number of time periods H 1, H 2 : random oracles H 1, H 2 : random oracles q H2 : number of hash queries made to hash function H 2 q H2 : number of hash queries made to hash function H 2 q E : number of hash queries made to lower-level setup queries q E : number of hash queries made to lower-level setup queries then there exists an algorithm B that solves BDH problem with advantage then there exists an algorithm B that solves BDH problem with advantage h + l e(2lq E + h + l) (()(h+l)/2 1 2n2n2n2n – ) q H2 /