Identity-based Hierarchical Key-insulated Encryption without Random Oracles

Key-insulated encryption is one of the effective solutions to a key exposure problem. At Asiacrypt\u2705, Hanaoka et al. proposed an identity-based hierarchical key-insulated encryption (hierarchical IKE) scheme. Although their scheme is secure in the random oracle model, it has a ``hierarchical key-updating structure,\u27\u27 which is attractive functionality that enhances key exposure resistance. In this paper, we first propose the hierarchical IKE scheme without random oracles. Our hierarchical IKE scheme is secure under the symmetric external Diffie-Hellman (SXDH) assumption, which is known as the simple and static one. Particularly, in the non-hierarchical case, our construction is the first IKE scheme that achieves constant-size parameters including public parameters, secret keys, and ciphertexts. Furthermore, we also propose the first public-key-based key-insulated encryption (PK-KIE) in the hierarchical setting by using our technique

Efficient (Anonymous) Compact HIBE from Standard Assumptions

Abstract. We present two hierarchical identity-based encryption (HIBE) schemes, denoted as H1 and H2, from Type-3 pairings with constant sized ciphertexts. Scheme H1 achieves anonymity while H2 is non-anonymous. The constructions are obtained by extending the IBE scheme recently proposed by Jutla and Roy (Asiacrypt 2013). Security is based on the standard decisional Symmetric eXternal Diffie-Hellman (SXDH) assumption. In terms of provable security properties, previous direct constructions of constant-size ciphertext HIBE had one or more of the following drawbacks: security in the weaker model of selective-identity attacks; exponential security degradation in the depth of the HIBE; and use of non-standard assumptions. The security arguments for H1 and H2 avoid all of these drawbacks. These drawbacks can also be avoided by obtaining HIBE schemes by specialising schemes for hierarchical inner product encryption; the downside is that the resulting efficiencies are inferior to those of the schemes reported here. Currently, there is no known anonymous HIBE scheme having the security properties of H1 and comparable efficiency. An independent work by Chen and Wee describes a non-anonymous HIBE scheme with security claims and efficiency similar to that of H2; we note though that in comparison to H2, the Chen-Wee HIBE scheme has larger ciphertexts and less efficient encryption and decryption algorithms. Based on the current state-of-the-art, H1 and H2 are the schemes of choice for efficient implementation of (anonymous) HIBE constructions