Abstract: As of Hierarchical Identity Based Encryption (HIBE) systems, there are two important tasks should be accomplished properly, the first one is to establish logically hierarchical relationship between entities in the hierarchy tree, which is essentially accomplished through private key derivation by delegating responsibilities to lower-level PKGs and the other task is to achieve encryption privacy of ciphertext targeting an intended recipient. In this study, mechanisms of private key derivation in HIBE systems are classified, which explicitly define how and to what extent an entity in the hierarchy takes its level PKGs role of generating valid private keys for its descendants in the hierarchy. Moreover, a new delegation mechanism, authorized delegation is introduced, which can prevent any entity from deriving private keys for its descendants with use of its private key and delegate the responsibility of generating private keys for a specified entity through authorization by distributing a specific secret to an entity as an ancestor of the specified entity by the root PKG (primitive authorization) or some other authorized entities (chained authorization). As for encryption privacy of ciphertext in a HIBE system, which measures the possibility that ciphertexts targeting an entity are successfully decrypted by its ancestors or descendants, the encryption privacy is studied from two distinct perspectives, i.e., private key derivation perspective and private key legitimacy perspective. Furthermore, dominated encryption privacy and dedicated encryption privacy are defined and discussed from private key legitimacy perspective.
INTRODUCTION
An Identity Based Encryption (IBE) system is a public key system that an entitys public key can be any identifier of the entity (arbitrary string that is public and can identify the entity) and private key for the entity can be calculated from its identifier with use of a master key by an authority called Private Key Generator (PKG). Since the introduction of the concept of Identity Based Encryption (IBE) by Shamir (1985), there are no usable IBE constructions until the studies by Boneh and Franklin (2001), Cocks (2001) and Sakai and Kasahara (2000). The concept of Hierarchical Identity Based Encryption (HIBE) was first introduced by Horwitz and Lynn (2002). Gentry and Silverberg (2002), Canetti et al. (2003), Boneh and Boyen (2004a), Gentry (2006) and Waters (2005, 2009) constructed their schemes under the Decisional Bilinear Diffie-Hellman assumption (or variants of BDH assumption) and proved the security of their systems in standard model. Studies by Gentry (2006), Waters (2005, 2009) and Boneh et al. (2005) provided some fully secure schemes without random oracles.
Conventionally, it is taken for granted that in a HIBE system entities in the hierarchy have the power of generating valid private keys for their descendants; specifically, an entity can not only directly use its own private key and some public parameters to derive valid private keys along the hierarchy tree (usually derivation is accomplished by randomizing an ancestors private key), but also unrestrictedly generate valid private keys for all descendants of the entity if the entity wants to. Boneh et al. (2005) presented a HIBE scheme that is selective identity secure in standard model and fully secure in the random oracle model; notably, the scheme can achieve limited delegation and short ciphertexts regardless of the hierarchy depth.
Although, key escrow problem is inherent in IBE public cryptography, resulting from the mechanism of generating private keys for entities in the system, but it should not be exaggerated in HIBE systems, where lower level PKGs are unrestrictedly delegated to be capable of generating private keys for their descendants. Particularly, it is irrational and undesirable that a lower level PKG (as an ancestor) can generate valid private keys for a descendant with direct use of its private key and a lower level PKG can generate private keys for all of its descendants.
In order to preventing entities from deriving private keys for their descendants with direct use of their private keys, while providing a means for entities to be capable of deriving private keys for some of their descendants. A new technique for composing private keys for entities in HIBE hierarchy is proposed, that it was called differenting technique. When generating a private key for an identity,
MATERIALS AND METHODS
Different from the one-PKG characterized IBE, Hierarchical Identity Based Encryption (HIBE) accommodates level-oriented PKG configuration. Namely, the top level PKG is the root PKG (at level zero), who maintains a hierarchy tree of which non-leaf nodes are viewed as level PKGs. The HIBE allows the root PKG to balance the workload by delegating identity authentication, private key generation and private key distribution to lower level PKGs. Usually, delegation of private key generation for entities in the hierarchy is main job of responsibility delegation (from root PKG to lower level PKGs). The mechanisms of delegating private key generation can be classified into three classes, i.e., unlimited delegation, limited delegation and a new delegation firstly propsed in this study, authorized delegation with reference to criteria listed below. For ease of presentation, it is assumed that Entityi with identity IDi = (I1,..., Ii) is an ancestor of Entityj with identity IDi = (I1,..., Ij) that is IDi is a prefix of IDj such that IDi [k] = IDj [k] for all kε{1,...,i}.
• | Only an entitys private key or some specially crafted content other than private key should be utilize to generate private keys for the entitys descendants, besides some public parameters, such as system parameters, identities (public keys) of the descendants whose private keys are derived and so on |
• | Whether the private key generation can be hierarchically derived along the identity hierarchy tree; specifically, whether private key for Entityj+1 can be derived given a private key for Entityj is generated |
• | Whether Entityj should first generate private keys for all entities, which are descendants of Entityi and ancestors of Entityj prior to deriving a private key for Entityj |
Unlimited delegation: Unlimited delegation indicates that an entity dominates all of its descendants. Unlimited delegation means that an entity in the hierarchy can directly and unrestrictedly derive private keys for its descendants. Directly here means an entity can derive private keys for its descendants with only use of its private key, or the private key for the entity is the only needed secret for generating the descendants private keys. Unrestrictedly means that the private key derivation can be accomplished hierarchically by an entity for all of its descendants.
As of private key derivation in Boneh and Boyen (2004b, 2011) an Entityjs private key denoted dIDj can be hierarchically randomized to generate private keys for all of its descendants level by level. How Entityj can derive a private key for its child entity Entityj+1 with use of its private key dIDj, public system parameters, identity of the child and some random values is exemplified below.
Both private keys for Entityj and Entityj+1 with identities
Let Δd0 be the result of dIDj+1 [0], Δd0 is calculated as:
Correspondingly, other components can as well be calculated as
By repeating the derivation process above, the private key of Entityj+1 can be derived by any of its ancestors along the hierarchy. Consequently not only ciphertexts intended for an entity can be decrypted by any of its ancestors, but also the ancestor, being with knowledge of a private key of the descendant can do anything that the entity can do.
Limited delegation: Unlike unlimited delegation, limited delegation restricts the depth within which the descendants private keys can be derived. Limited delegation means that an entity at depth k with public identity IDk, denoted Entityk is given a restricted private key witht t instead of l-k (t<l-k, where l is the maximum hierarchy depth) extra secrets that only authorizes the ancestor (i.e., Entityk) to be able to derive private keys for its descendants of limited depth, beginning from Entityks child to its descendant at depth k+t (the deepest depth). If all l-k extra secrets are provided, then the entity at depth k can generate private keys for all of its descendant. Particularly, the HIBE system fails to only generate valid private keys for a descendant at a specified depth ξ for k+2≤ξ≤l without deriving private keys for descendants at depth k+1,..., ξ.
The HIBE system presented by Boneh et al. (2005) considers "Limited delegation" and related encryption privacy of preventing an ancestor from successfully decrypting ciphertexts targeting its descendants. Private keys for Entityj and Entityj+1 with identities
where, r(IDj) and r(IDj+1) are two random numbers picked from Zq by the root PKG. For clarity of representation, dIDj is denoted as
By repeating the process above, private keys for all descendants of Entityj can be derived with use of the Entityjs private key and needed historical content. Different from private key derivation in BB1 system, where private keys for a child can be derived by only randomizing its parents private keys, this HIBE system however, does need some extra historical content in deriving a private key for a child, in addition to randomizing the parents private key. For example, in deriving a private key for Entityj+1with use of Entityjs private key,
Then, if the root PKG does not provide l-j components
Actually, only the component
Authorized delegation: Limited delegation does prevent private keys for those descendants at depth beyond the limited depth from being derived. Nevertheless, there is no means to only derive a private key for Entityj+t with use of Entityjs private key without revealing private keys for those entities, which are at level between j+1 and j+t-1. This undesirable breach in privacy is resulted from the need of use of a parents private key when deriving a childs private key.
Authorized delegation means that private keys for an entity cannot be derived directly from its ancestors private keys. However, by distributing a secret specifically crafted for an entity to its ancestor by the root PKG, the ancestor is thus authorized to generate private keys for the specific descendant, while failing to generate private keys for any entity other than the specified descendant.
In the sequel a new technique: Differentiating technique is proposed, which can be applied to construct a HIBE system with authorized delegation of generating private keys for entities (always descendants of the generator). Particularly, what should be accomplished for achieving authorized delegation is as follows:
• | Planning private key composition, such as including share of randomizing the master secret and some components that make direct and unrestricted delegation of generating private keys for descendants impossible. Contrasted to private key derivation in (Gentry and Silverberg, 2002; Boneh and Boyen, 2004a, 2011), where both Sj and dIDj can be hierarchically randomized to generate private keys for IDj+1 = (Idj, Ij+1) IDj+2,... and so on |
• | Providing means for an entity, such as through authorization to be capable of generating private keys for a specified descendant entity. Authorization here can be achieved through secret distribution by equipping the generator with specially crafted content for deriving private keys for the specified entity, somewhat analogous to HIBE system presented by Boneh et al. (2005), where by equipping Entityj with needed secrets |
The main idea of this solution differentiating technique is to differentiate between identifiers I1,..., Ij of the identity IDj when extracting a private key for Entityj. Specifically, in addition to randomizing the master secret of the root PKG with each identifier of {I1,...,Ij} independently and uniformly for extracting a private key for Entityj, which is the only mechanism of private key extraction presented in Boneh and Boyen (2011) an extra share ξ resulted from the combination of Entityjs local identifier Ij and those random values picked correspondingly for identifiers I1,...,Ij-1 is introduced into the Entityjs private key. The extra share ξ anchors the generated private key only to the identity IDj = (I1,..., Ij). Anchor here means that the private key generated for Entityj can neither be used to derive private keys for its descendants, nor to decrypt ciphertexts intended for its ancestors or descendants. Namely, it is infeasible for an entity to derive private keys for its descendants with its private key, because there is no means for the Entityj to wipe off the share defined on its local identifier Ij from its private key and to introduce needed share related to the local identifier of each of its descendants for private key derivation in order to generate the corresponding descendants private key.
Moreover, this HIBE system does provide a mechanism for authorized private key derivation, i.e., deriving a valid private key for and only for a specified descendant. Assume that Entityi as an ancestor of Entityj is authorized to derive private keys for Entityj (the specified entity). Entityj can be authorized by distributing to it two copies of information, the first information is the result of randomizing the master secret along the identity hierarchy I1→...→Ii and the other copy is the result of combination of local identifier Ij of Entityj (not Entityi) with those random numbers picked for identifiers I1,..., Ii in randomizing the master secret. Then with these two copies of information Entityj can further hierarchically randomized these two copies with identical random number series along the identity hierarchies Ii+1→...→Ij and Ij→...→Ij, respectively and at last add these two copies of information. The summation is a private key for Entityj. It is worth noting that two copies of information during the derivation process, i.e., along the identity hierarchy Ij+1→...→Ij-1, neither can be used to derive private keys for entities other than Entityj, nor can be added to get a private key for any ancestor of Entityj.
RESULTS AND DISCUSSION
Unlike public key cryptography implemented in Public Key Infrastructure (PKI), where an entitys public and private key pair can be selected by either the trusted authority or the entity itself, private keys for an entity in HIBE system can only be generated by the root PKG or some domain (lower-level) PKGs. That is key escrow problem is inherent in (H) IBE public cryptography and ciphertexts for an entity can be decrypted by those entities that are capable of generating valid private keys for the entity. As a result, there is no encryption privacy of ciphertexts targeting entities for which private keys can be derived by their ancestor entities from the ancestors point of view.
With the technique detailed in section above, unlimited delegation is disabled with the differentiating technique and any entity needs to be authorized by the root PKG for being able to generate private keys for any of its descendants. Moreover, other than from private key derivation perspective, it is necessary to consider encryption privacy from private key legitimacy perspective, i.e., whether an entitys private key is legitimate for ciphertexts encrypted on identity of the entitys descendants.
Dominated encryption privacy: Means that ciphertexts targeting an entity can be decrypted by all or some of its ancestors without burden of generating a private key for the entity but with direct use of these ancestors private keys. As for HIBE scheme in Gentry and Silverberg (2002) and BB1 scheme in Boneh and Boyen (2004b, 2011) it is not necessary that any ancestor of Entityj should derive a private key for Entityj in order to decrypt ciphertexts intended for Entityj. When encrypting a given message M∈Gt intended for Entityj with identity
Let Entityj with identity IDk = (I1,..., Ik) be an ancestor of Entityj, the private key for Entityk denoted
Entityk can decrypt ciphertext C denoted
That is any ancestor of an entity can decrypt ciphertexts encrypted on the public key (i.e. identity) of the entity with only use of its own private key without need of deriving a valid private key for the entity.
Dedicated encryption privacy: Means that all entities other than the intended recipient of a ciphertext cannot decrypt the ciphertext, thus achieving encryption privacy of ciphertext dedicated only to the intended recipient. As for encryption privacy of HIBE system presented by Boneh et al. (2005), assume that Entityj is an ancestor of Entityj (without respect to whether Entityj is capable of deriving private keys for Entityj or not) and an encryptor encrypts a given messageMεG1 on Entityjs identity IDj = (I1,..., Ij) as:
then Entityj can decrypt the ciphertext with its private key as:
For a successful decryption, it is required that
where,
CONCLUSION
The mechanism of delegating private key generation is crucial in establishing logically hierarchical relationship between entities along hierarchy tree in HIBE systems, which should reflect the true institutional structures in real world. The delegation mechanisms are classified into three classes, with reference to how an entitys private key can be generated by lower-level PKGs other than the root PKG. Moreover, differentiating technique for achieving authorized delegation is proposed, which hierarchically derive secrets along identity hierarchies I1→...→Ij and Ij→...→Ij, i.e. by randomizing the master secret of the root PKG along the former and privacy specifically pertained to local identifier Ij (dedicated privacy) along the later and at last get a private key for Entityj. Contrasted to direct and unrestricted private key derivation in unlimited delegation HIBE systems and restricted private key derivation of limited depth in limited delegation HIBE systems, authorized delegation can explicitly authorize some entity to generate valid private keys for some specified entity of which ancestors private keys are not needed or generated at all.
At last, two types of encryption privacy, i.e., dominated encryption privacy and dedicated encryption privacy are discussed and compared from private key legitimacy perspective. It is unquestionably necessary to achieve dedicated encryption privacy when constructing a HIBE system.