WO2003081780A2 - Hierarchical identity-based encryption and signature schemes - Google Patents

Hierarchical identity-based encryption and signature schemes Download PDF

Info

Publication number
WO2003081780A2
WO2003081780A2 PCT/US2003/008010 US0308010W WO03081780A2 WO 2003081780 A2 WO2003081780 A2 WO 2003081780A2 US 0308010 W US0308010 W US 0308010W WO 03081780 A2 WO03081780 A2 WO 03081780A2
Authority
WO
WIPO (PCT)
Prior art keywords
cyclic group
level
key generation
recipient
pkg
Prior art date
Application number
PCT/US2003/008010
Other languages
English (en)
French (fr)
Other versions
WO2003081780A3 (en
Inventor
Craig B. Gentry
Alice Silverberg
Original Assignee
Docomo Communications Laboratories Usa, Inc.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Docomo Communications Laboratories Usa, Inc. filed Critical Docomo Communications Laboratories Usa, Inc.
Priority to JP2003579369A priority Critical patent/JP4405810B2/ja
Priority to EP03711597A priority patent/EP1495573B1/en
Priority to CN038039109A priority patent/CN1633774B/zh
Priority to AU2003214189A priority patent/AU2003214189A1/en
Priority to DE60325575T priority patent/DE60325575D1/de
Publication of WO2003081780A2 publication Critical patent/WO2003081780A2/en
Publication of WO2003081780A3 publication Critical patent/WO2003081780A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0819Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s)
    • H04L9/083Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP]
    • H04L9/0833Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key
    • H04L9/0836Key transport or distribution, i.e. key establishment techniques where one party creates or otherwise obtains a secret value, and securely transfers it to the other(s) involving central third party, e.g. key distribution center [KDC] or trusted third party [TTP] involving conference or group key using tree structure or hierarchical structure
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/006Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models
    • H04L9/007Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving public key infrastructure [PKI] trust models involving hierarchical structures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/08Key distribution or management, e.g. generation, sharing or updating, of cryptographic keys or passwords
    • H04L9/0816Key establishment, i.e. cryptographic processes or cryptographic protocols whereby a shared secret becomes available to two or more parties, for subsequent use
    • H04L9/0838Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these
    • H04L9/0847Key agreement, i.e. key establishment technique in which a shared key is derived by parties as a function of information contributed by, or associated with, each of these involving identity based encryption [IBE] schemes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3066Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves
    • H04L9/3073Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy involving algebraic varieties, e.g. elliptic or hyper-elliptic curves involving pairings, e.g. identity based encryption [IBE], bilinear mappings or bilinear pairings, e.g. Weil or Tate pairing
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/32Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials
    • H04L9/3247Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures
    • H04L9/3252Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols including means for verifying the identity or authority of a user of the system or for message authentication, e.g. authorization, entity authentication, data integrity or data verification, non-repudiation, key authentication or verification of credentials involving digital signatures using DSA or related signature schemes, e.g. elliptic based signatures, ElGamal or Schnorr schemes

Definitions

  • the present invention relates in general to cryptography and secure communication via computer networks or via other types of systems and devices, and more particularly to hierarchical, identity-based schemes for encrypting and decrypting communications.
  • identity-based cryptosystems are public key cryptosystems in which the public key of an entity is derived from information associated with the entity's identity.
  • the identity information may be personal information (i.e., name, address, email address, etc.), or computer information (i.e., IP address, etc.).
  • identity information may include not only information that is strictly related to an entity's identity, but also widely available information such as the time or date. That is, the importance of the concept of identity information is not its strict relation to the entity's identity, but that the information is readily available to anyone who wishes to encrypt a message to the entity.
  • An entity's private key is generated and distributed by a trusted party or logical process, typically known as a private key generator ("PKG").
  • PKG uses a master secret to generate private keys.
  • An entity's public key may be derived from its identity, when Alice wants to send a message to Bob, she does not need to retrieve Bob's public key from a database. Instead, Alice merely derives the key directly from Bob's identifying information. Databases of public keys are unnecessary. Certificate authorities (“CAs”) also are unnecessary. There is no need to "bind" Bob's identity to his public key because his identity is his public key.
  • CAs Certificate authorities
  • the known identity-based encryption schemes have a significant shortcoming — they are not hierarchical.
  • non-identity-based public key cryptography it has been possible to have a hierarchy of CAs in which the root CA can issue certificates for other CAs, who in turn can issue certificates for users in particular domains. This is desirable because it reduces the workload on the root CA.
  • a practical hierarchical scheme for identity-based cryptography has not been developed.
  • a hierarchical identity-based encryption scheme would involve a hierarchy of logical or actual PKGs. For instance, a root PKG may issue private keys to other PKGs, who in turn would issue private keys to users in particular domains. It also would be possible to send an encrypted communication without an online lookup of the recipient's public key or lower- level public parameters, even if the sender is not in the system at all, as long as the sender obtained the public parameters of the root PKG. Another advantage of a hierarchical identity-based encryption scheme would be damage control. For instance, disclosure of a domain PKG's secret would not compromise the secrets of higher-level PKGs, or of any other PKGs that are not direct descendents of the compromised domain PKG. The schemes taught by Cocks and Boneh-Franklin do not have these properties.
  • a secure and practical hierarchical identity-based encryption scheme has not been developed.
  • a hierarchical identity-based key sharing scheme with partial collusion-resistance is given in G. Hanaoka, T. Nishioka, Y. Zheng, H. Imai, An Efficient Hierarchical Identity-Based Key-Sharing Method Resistant against Collusion Attacks, ADVANCES IN CRYPTOGRAPHY— ASIACRYPT 1999, Lecture Notes in Computer Science 1716 (1999), Springer 348-362; and G. Hanaoka, T. Nishioka, Y. Zheng, H.
  • a method for encoding and decoding a digital message between a sender and a recipient in a system including a plurality of private key generators ("PKGs").
  • the PKGs include at least a root PKG and n lower-level PKG in the hierarchy between the root PKG and the recipient, wherein n ⁇ 1.
  • a root key generation secret is selected and is known only to the root PKG.
  • a root key generation parameter is generated based on the root key generation secret.
  • a lower- level key generation secret is selected for each of the n lower-level PKGs, wherein each lower-level key generation secret is known only to its associated lower-level PKG.
  • a lower-level key generation parameter also is generated for each of the n lower-level PKGs using at least the lower-level key generation secret for its associated lower-level private key generator.
  • the message is encoded to form a ciphertext using at least the root key generation parameter and recipient identity information.
  • a recipient private key is generated such that the recipient private key is related to at least the root key generation secret, one or more of the n lower-level key generation secrets associated with the n lower-level PKGs in the hierarchy between the root PKG and the recipient, and the recipient identity information.
  • the ciphertext is decoded to recover the message using at least the recipient private key.
  • a method for encoding and decoding a digital message between a sender and a recipient in a system including a plurality of private key generators ("PKGs").
  • the PKGs include at least a root PKG, m lower-level PKGs in the hierarchy between the root PKG and the sender, wherein m ⁇ 1 , n lower-level PKG in the hierarchy between the root PKG and the recipient, wherein n ⁇ 1 , and PKG / , which is a common ancestor PKG to both the sender and the recipient.
  • / of the m private key generators are common ancestors to both the sender and the recipient, wherein / > 1.
  • a lower-level key generation secret is selected for each of the m lower-level PKGs in the hierarchy between the root PKG and the sender.
  • a sender private key is generated such that the sender private key is related to at least the root key generation secret, one or more of the m lower-level key generation secrets associated with the m lower-level PKGs in the hierarchy between the root PKG and the sender, and sender identity information.
  • a recipient private key is generated such that the recipient private key is related to at least the root key generation secret, one or more of the n lower-level key generation secrets associated with the n lower-level PKGs in the hierarchy between the root PKG and the recipient, and recipient identity information.
  • the message is encoded using at least the recipient identity information, the sender private key, and zero or more of the lower-level key generation parameters associated with the (m - / + 1 ) private key generators at or below the level of the common ancestor PKG / , but not using any of the lower-level key generation parameters that are associated with the (/ - 1) PKGs above the common ancestor PKG / .
  • the message is decoded using at least the sender identity information, the recipient private key, and zero or more of the lower-level key generation parameters associated with the (n - 1 + 1 ) private key generators at or below the level of the common ancestor PKG / , but not using any of the lower-level key generation parameters that are associated with the (/ - 1 ) PKGs above the common ancestor PKG / .
  • a method for generating and verifying a digital signature of a message between a sender and a recipient in a system including a plurality of PKGs.
  • the PKGs include at least a root PKG and n lower-level PKG in the hierarchy between the root PKG and the sender, wherein n ⁇ 1.
  • a root key generation secret is selected and is known only to the root PKG.
  • a root key generation parameter is generated based on the root key generation secret.
  • a lower- level key generation secret is selected for each of the n lower-level PKGs, wherein each lower-level key generation secret is known only to its associated lower-level PKG.
  • a lower-level key generation parameter also is generated for each of the n lower-level PKGs using at least the lower-level key generation secret for its associated lower-level private key generator.
  • a private key is generated for the sender such that the private key is related to at least the root key generation secret and sender identity information.
  • the message is signed to generate the digital signature using at least the sender private key.
  • the digital message is verified using at least the root key generation parameter and the sender identity information.
  • FIG. 1 shows a flow diagram illustrating a method of encoding and decoding a digital message according to one presently preferred embodiment of the invention
  • FIG. 2 shows a flow diagram illustrating a method of encoding and decoding a digital message between a sender y and a recipient z according to another presently preferred embodiment of the invention
  • FIG. 3 shows a block diagram illustrating a typical hierarchical structure in which this method of FIG. 2 may be performed
  • FIG. 4 shows a flow diagram illustrating a method of encoding and decoding a digital message M communicated between a sender >> and a recipient z according to another presently preferred embodiment of the invention
  • FIG. 5 shows a flow diagram illustrating a method of encoding and decoding a digital message M communicated between a sender y and a recipient z according to another presently preferred embodiment of the invention
  • FIG.6 shows a flow diagram illustrating a method of encoding and decoding a digital message M communicated between a sender ; and a recipient z according to another presently preferred embodiment of the invention
  • FIG.7 shows a flow diagram illustrating a method of generating and verifying a digital signature according to another presently preferred embodiment of the invention.
  • FIG. 8 shows a flow diagram illustrating a method of generating and verifying a digital signature Sig of a digital message M communicated between a sender j and a recipient z according to another presently preferred embodiment of the invention.
  • FIG. 9 shows a flow diagram illustrating a method of generating and verifying a digital signature Sig of a digital message M communicated between a sender; and a recipient z according to another presently preferred embodiment of the invention.
  • the presently preferred methods of the invention provide secure and practical hierarchical identity-based encryption (“HIDE”) and signature (“HIDS”) schemes.
  • the hierarchical schemes are fully scalable, have total collusion resistance on an arbitrary number of levels, and have chosen- ciphertext security in the random oracle model.
  • These objectives are achieved, in part, by introducing additional random information at each of the lower-level PKGs.
  • One intuitively surprising aspect of these schemes is that, even though lower level PKGs generate additional random information, this does not necessitate adding public parameters below the root level of the hierarchy.
  • the random information generated by a lower-level PKG does not adversely affect the ability of users not under the lower-level PKG to send encrypted communications to users under the lower-level PKG.
  • Each of the HIDE and HIDS schemes of the present invention requires a hierarchical structure of PKGs, including at least one root PKG and a plurality of lower-level PKGs.
  • the hierarchy and the lower-level PKGs may be logical or actual. For instance, a single entity may generate both a root key generation secret and the lower-level key generation secrets from which lower-level users' encryption or signature keys are generated.
  • the lower-level PKGs are not separate entities, but are merely processes or information arranged in a logical hierarchy and used to generate keys for descendent PKGs and users in the hierarchy.
  • each lower-level PKG may be a separate entity.
  • Another alternative involves a hybrid of actual and logical lower-level PKGs.
  • the term "lower-level PKG" will be used generically to refer to any of these alternatives.
  • identity-based public keys may be based on time periods. For instance, a particular recipient's identity may change with each succeeding time period. Alternatively, a recipient may arrange the time periods as children or descendents of itself in a hierarchy, and a sender would use the identity of the proper time period when encoding the message. Either way, each key may be valid for encrypting messages to Bob only during the associated time period.
  • the HIDE schemes of the present invention generally include five randomized algorithms: Root Setup, Lower-level Setup, Extraction, Encryption, and Decryption. Three of these algorithms rely upon the identities of the relevant entities in the hierarchy.
  • Each user preferably has a position in the hierarchy that may be defined by its tuple of IDs: (ID-i, . . . , ID,).
  • the user's ancestors in the hierarchy are the root PKG and the users, or PKGs, whose ID-tuples are ⁇ (ID-i, . . . , ID,) : 1 ⁇ i ⁇ (M) ⁇ .
  • the ID-tuples preferably are represented as binary strings for purposes of computations.
  • the root PKG uses a security parameter A: to generate public system parameters params and a root key generation secret.
  • the system parameters include a description of the message space M and the ciphertext space X.
  • the system parameters will be publicly available, while only the root PKG will know the root key generation secret.
  • each lower-level PKG preferably generates its own lower-level key generation secret for purposes of extraction.
  • a lower-level PKG may generate random one-time secrets for each extraction.
  • a PKG (whether the root PKG or a lower-level PKG) generates a private key for any of its children.
  • the private key is generated using the system parameters, the generating PKG's private key, and any other preferred secret information.
  • a sender receives the system parameters from the root PKG, preferably via some secure means outside the present system. It is not necessary for the sender to receive any of the lower- level key generation parameters.
  • the sender encodes a message MTM M to generate a ciphertext CTM X using warn.? and the ID-tuple of the intended recipient.
  • the recipient decodes the ciphertext to recover the message M using params and the recipient's private key d. Encryption and decryption preferably satisfy the standard consistency constraint:
  • the HIDS schemes of the present invention also generally include five randomized algorithms: Root Setup, Lower-level Setup, Extraction, Signing, and Verification.
  • Root Setup the system parameters are supplemented to include a description of the signature space ⁇ .
  • Lower-level Setup and Extraction preferably are the same as for HIDE, as described above.
  • the sender of a digital message signs the message MTM M to generate a signature STM ⁇ using params and the sender's private key d.
  • the recipient of the signed message verifies the signature S using /warn.-? and the ID-tuple of the sender.
  • the Verification algorithm preferably outputs "valid” or "invalid”. Signing and Verification also preferably satisfies a consistency constraint:
  • an adversary may choose the identity of its target adaptively or nonadaptively.
  • An adversary that chooses its target adaptively will first make hash queries and extraction queries, and then choose its target based on the results of these queries.
  • Such an adversary might not have a particular target in mind when it begins the attack. Rather, the adversary is successful it is able to hack somebody.
  • a nonadaptive adversary chooses its target independently from results of hash queries and extraction queries. For example, such an adversary might target a personal enemy.
  • the adversary may still make hash queries and extraction queries, but its target choice is based strictly on the target's identity, not on the query results.
  • security against an adaptively-chosen-target adversary is the stronger, and therefore preferable, notion of security.
  • the security analysis of the HIDE schemes in the present invention address both types of security.
  • a HIDE scheme is said to be semantically secure against adaptive chosen ciphertext and adaptive chosen target attack if no polynomially bounded adversary A has a non-negligible advantage against the challenger in the following game.
  • SETUP The challenger takes a security parameter k and runs the Root Setup algorithm. It gives the adversary the resulting system parameters params. It keeps the root key generation secret to itself.
  • PHASE 1 The adversary issues queries q ⁇ q m , where q, is one of:
  • Extraction query (ID-tuple,): The challenger runs the Extraction algorithm to generate the private key d, corresponding to ID-tuple,, and sends d, to the adversary.
  • Decryption query (ID-tuple,, C,): The challenger runs the Extraction algorithm to generate the private key d, corresponding to ID-tuple,, runs the Decryption algorithm to decrypt C, using dnick and sends the resulting plaintext to the adversary.
  • the queried ID-tuple may correspond to a position at any level of the hierarchy.
  • CHALLENGE Once the adversary decides that Phase 1 is over, it outputs two equal-length plaintexts Mo, M-, TM M and an ID-tuple on which it wishes to be challenged. The only constraints are that neither this ID-tuple nor its ancestors appear in any private key extraction query in Phase 1. The challenger picks a random bit b TM ⁇ 0,1 ⁇ and sets C ID-tuple, M b ). It sends C as a challenge to the adversary.
  • Decryption query (C, ID-tuple,): The challenger responds as in Phase 1.
  • the queries in Phase 2 are subject to the constraint that the challenger cannot make an Extraction query on the ID-tuple associated with the challenge ciphertext C, or make a Decryption query using that ID-tuple and the ciphertext C. This same constraint also applies to all ancestors of the ID-tuple.
  • a HIDE schemes is said to be a one-way encryption scheme if no polynomial time adversary has a non-negligible advantage in the game described below.
  • the adversary A is given a random public key K pub and a ciphertext C that is the encryption of a random message Musing K pub , and outputs a guess for the plaintext.
  • the adversary is said to have an advantage ⁇ against the scheme if ⁇ is the probability that A outputs M
  • the game is played as follows:
  • PHASE 1 The adversary makes public key and/or extraction queries as in Phase 1 of the chosen-ciphertext security analysis described above.
  • PHASE 2 The adversary issues more public-key queries and more extraction queries on identities other than ID and its ancestors, and the challenger responds as in Phase 1.
  • the schemes of the present invention are secure against the challenges described above.
  • the HIDS schemes of the present invention are secure against existential forgery on adaptively chosen messages.
  • An adversary should be unable to forge its target's signature on other messages that the target has not signed previously, even after (adaptively) obtaining the target's signature on messages of the adversary's choosing.
  • a HIDS adversary also will have the ability to make public key queries and private key extraction queries on entities other than the target and its ancestors, and the ability to choose its target.
  • the adversary's choice of target may be adaptive or nonadaptive.
  • the presently preferred HIDE and HIDS schemes of the present invention are based on pairings, such as, for instance, the Weil or Tate pairings associated with elliptic curves or abelian varieties.
  • the methods also are based on the Bilinear Diffie-Hellman problem. They use two cyclic groups T ⁇ and r 2 , preferably of the same large prime order q.
  • the first group r-* preferably is a group of points on an elliptic curve or abelian variety, and the group law on r** may be written additively.
  • the second group r 2 preferably is a multiplicative subgroup of a finite field, and the group law on r 2 may be written multiplicatively.
  • other types of groups may be used as T ⁇ and r 2 consistent with the present invention.
  • the methods also use a generator P Q of the first group IY
  • a pairing or function e r* ⁇ x T ⁇ ⁇ r 2 is provided for mapping two elements of the first group r* ⁇ to one element of the second group r 2 .
  • the function e preferably satisfies three conditions.
  • the function e preferably is non-degenerate, such that the map does not send all pairs in r-i x T-* to the identity in r 2 .
  • the function e preferably is efficiently computable. A function e satisfying these three conditions is considered to be admissible.
  • the security of the HIDE and HIDS schemes of the present invention is based primarily on the difficulty of the Bilinear Diffie-Hellman problem.
  • the Bilinear Diffie-Hellman problem is that of finding e(P, P) abc given a randomly chosen P m r., as well as aP, bP, and cP (for unknown randomly chosen a, b, c TM ZlqZ). Solving the Diffie-Hellman problem in r** solves the Bilinear Diffie-Hellman problem because e(P, P) abc - e(abP, cP).
  • n and r 2 should be chosen such that there is no known algorithm for efficiently solving the Diffie-Hellman problem in either r-i or r 2 . If the Bilinear Diffie-Hellman problem is hard for a pairing e, then it follows that e is non- degenerate.
  • a randomized algorithm ir is a Bilinear Diffie-Hellman generator if IT takes a security parameter k > 0, runs in time polynomial in k, and outputs the description of two groups n and r 2 , preferably of the same prime order q, and the description of an admissible pairing e : T-* x n ⁇ r 2 .
  • the advantage A dv ⁇ r (B) that an algorithm B has in solving the Bilinear Diffie-Hellman problem is defined to be the probability that the algorithm B outputs e(P, P) abc when the inputs to the algorithm are r**, r 2 , e, P, aP, bP, and cP, where (r**, r 2 , e) is the output of IT for a sufficiently large security parameter k, P is a random generator of ⁇ , and a, b, and c are random elements of ZlqZ.
  • the assumption underlying the Bilinear Diffie-Hellman problem is that Adv ⁇ -tfS) is negligible for all efficient algorithms B.
  • FIG. 1 shows a flow diagram illustrating a method of encoding and decoding a digital message according to one presently preferred embodiment of the invention.
  • the method is performed in a HIDE system including a plurality of PKGs.
  • the PKGs include at least a root PKG and n lower-level PKGs in the hierarchy between the root PKG and the recipient, wherein n ⁇ 1.
  • the root PKG selects a root key generation secret known only to the root PKG.
  • the root key generation secret may be used to generate private keys for PKGs and/or users below the root PKG in the hierarchy.
  • the root PKG then generates a root key generation parameter based on the root key generation secret in block 104.
  • the root key generation parameter is used to mask the root key generation secret.
  • the root key generation parameter may be revealed to lower-level PKGs without compromising the root key generation secret.
  • the lower-level PKGs select lower-level key generation secrets in block 106.
  • the lower-level key generation secret associated with a given lower-level PKG may be used to generate private keys for PKGs and/or users below the associated lower-level PKG in the hierarchy.
  • each of the lower- level key generation secrets is known only to its associated lower-level PKG.
  • lower-level key generation parameters are generated for each of the n lower-level PKGs.
  • Each of the lower-level key generation parameters is generated using at least the lower-level key generation secret for its associated lower-level PKG.
  • each of the lower-level key generation parameters masks its associated lower-level key generation secret.
  • the sender uses at least the root key generation parameter and identity information associated with the recipient, the sender encodes the message in block 110 to form a ciphertext.
  • the message may be encoded using only the root key generation parameter and the recipient's identity.
  • one of the lower-level key generation parameters may be used, such as is described in more detail below with respect to dual-HIDE schemes.
  • a lower-level PKG generates a private key for the recipient such that the private key is related to at least the root key generation secret, one or more of the n lower-level key generation secrets associated with the n lower- level PKGs in the hierarchy between the root PKG and the recipient, and the recipient's identity information.
  • the recipient's private key in addition to root key generation secret and the recipient's identity information, the recipient's private key preferably also is related at least to the lower-level key generation secret of the PKG that issued the private key to the recipient. Alternatively, the recipient's private key may be related to all n of its ancestral PKG's lower- level key generation secrets, as well as the root key generation secret.
  • the recipient uses at least its private key to decode the ciphertext and recover the message.
  • the recipient In addition to using its private key to decode, the recipient preferably also uses the n lower-level key generation parameters associated with the n lower-level PKGs in the hierarchy between the root PKG and the recipient.
  • Each lower-level PKG has a key generation secret, just like the root PKG.
  • a lower-level PKG preferably uses this secret to generate a private key for each of its children, just as the root PKG does.
  • the children's private keys are related to the lower-level PKG's key generation secret. This is true even if the lower-level PKG uses a modified version of its key generation secret to obscure that secret for purposes of restricting key escrow, as described more fully below.
  • the lower-level PKGs need not always use the same secret for each private key extraction. Rather, a new key generation secret could be generated randomly for each of the PKG's children, resulting in a different key generation parameter for each child.
  • a lower-level PKG is able to generate a private key for the recipient (block 112)
  • the root PKG need not generate all of the private keys itself.
  • compromising a lower-level key generation secret causes only limited security damage to the hierarchy. Rather than compromising all of the private keys in the hierarchy, a breach of a lower-level PKG compromises only the private key of that PKG and those private keys that were generated using that PKG's key generation secret (i.e., the private keys of those users that are direct hierarchical descendants of the compromised PKG).
  • Another advantage of this embodiment is that the sender need not be in the hierarchy to send an encoded message to the recipient.
  • the sender merely needs to know the identity information associated with the recipient and the system parameters generated by the root PKG.
  • certain additional advantages of the HIDE schemes of the present invention that become available when the sender is positioned within the hierarchy. For instance, when both the sender and the recipient are in the hierarchy, the efficiency of the message encryption may be improved by using the identities of both parties.
  • This type of HIDE scheme may be referred to as dual-HIDE because the identities of both the sender and the recipient are used as input for the encryption and decryption algorithms.
  • a method of encoding and decoding a message using a dual-HIDE scheme will now be discussed with reference to FIGS. 2 and 3.
  • FIG. 2 shows a flow diagram illustrating a method of encoding and decoding a digital message between a sender; and a recipient z according to another presently preferred embodiment of the invention.
  • FIG. 3 shows a block diagram illustrating a typical hierarchical structure in which this method may be performed. Like the previous embodiment, this method is performed in a HIDE system including at least a root PKG 302 and n lower- level PKGs 304a,b,d in the hierarchy between the root PKG 302 and the recipient z 308, wherein n > 1.
  • the sender y 306 in this embodiment also must be in the hierarchy, and the hierarchy also includes m lower-level PKGs 304a,b,c between the root PKG 302 and the sender y 306, wherein m ⁇ 1.
  • m PKGs 304a,b,c between the root PKG 302 and the sender y 306, and the n PKGs 304a, b,d between the root PKG 302 and the recipient z 308, there are / PKGs 304a, b that are common ancestors to both the sender; ; 306 and the recipient z 308, wherein 1 ⁇ l ⁇ m, n.
  • two of these / common ancestral PKGs PKG ⁇ /PKG ⁇ 304a and PKG /PKG z/ 304b are shown in FIG. 3.
  • the method of this embodiment begins in block 202, when the root PKG 302 selects a root key generation secret known only to the root PKG 302.
  • the root PKG 302 then generates a root key generation parameter based on the root key generation secret in block 204.
  • the lower-level PKGs 304a-d select lower-level key generation secrets in block 206.
  • each of the lower-level key generation secrets is known only to its associated lower-level PKG 304a-d.
  • lower- level key generation parameters are generated for each of the n lower-level PKGs 304a-d.
  • Each of the lower-level key generation parameters is generated using at least the lower-level key generation secret for its associated lower-level PKG 304a-d.
  • the sender's parent PKG_,, OT 304c generates a private key for the sender y 306 such that the private key is related to at least the root key generation secret, one or more of the m lower-level key generation secrets associated with the m lower-level PKGs 304a,b,c between the root PKG 302 and the sender;; 306, and the sender's identity information.
  • the sender's private key preferably is related at least to the lower-level key generation secret of the sender's parent PKG m 304c.
  • the sender's private key may be related to all m of its direct ancestral PKGs' lower-level key generation secrets, as well as the root key generation secret.
  • the recipient's parent PKG 2 till 304d generates a private key for the recipient z in a similar manner that the sender's parent PKG ym 304c used to generate the sender's private key.
  • the sender encodes the message to form a ciphertext using at least the sender's private key and one or more of the lower-level key generation parameters associated with the (m - 1 + 1 ) PKGs ⁇ i.e., PKG y i, 304b and PKG>, W 304c) between the root PKG 302 and the sender ; 306 that are at or below the level of the lowest ancestor PKG (PKG /PKG z/ 304b) that is common to both the sender; ; 306 and the recipient z 308.
  • the sender y 306 preferably does not use any of the lower-level key generation parameters that are associated with the (/ - 1 ) PKGs (i.e., PKG y -i 304a) that are above the lowest common ancestor PKG (PKGy/PKG, / 304b).
  • the recipient z 308 then decodes the ciphertext to recover the message in block 216 using at least the recipient's private key and one or more of the lower-level key generation parameters associated with the (n • I + 1 ) PKGs (i.e., PKG z , 304b and PKG Z réelle 304c) between the root PKG 302 and the recipient z 308 that are at or below the level of the lowest ancestor PKG (PKG /PKG z/ 304b) that is common to both the sender y 306 and the recipient z 308.
  • PKGs i.e., PKG z , 304b and PKG Zêt 304c
  • the recipient z 306 preferably does not use any of the lower-level key generation parameters that are associated with the (/ - 1) PKGs (i.e., PKG z ⁇ 304a) that are above the lowest common ancestor PKG (PKG / /PKG 2/ 304b).
  • This dual-HIDE embodiment of the invention provides a more efficient scheme for encoding and decoding the message because it requires the use of fewer key generation parameters. For instance, decoding in a regular HIDE scheme preferably requires all n of the key generation parameters, but decoding in a dual-HIDE scheme preferably requires only (n - 1 + 1) of the key generation parameters. Dual-HIDE schemes require the sender y 306 to obtain its private key before sending an encoded message to the recipient z 308, as opposed to merely obtaining the public system parameters of the root PKG. The dual-HIDE schemes also enable the sender y 306 and the recipient z 308 to restrict the scope of key escrow, as described more fully below. This shared secret is unknown to third parties other than their lowest common ancestor PKG_ y/ /PKG z/ 304b.
  • FIG. 4 shows a flow diagram illustrating a method of encoding and decoding a digital message M communicated between a sender y and a recipient z according to another presently preferred embodiment of the invention.
  • the recipient z 308 is n+1 levels below the root PKG in the hierarchy, as shown in FIG. 3, and is associated with the ID-tuple (ID z -i, . . . . ID 2(n+1 )).
  • the recipient's ID-tuple includes identity information ID z( myself + i ) associated with the recipient, as well as identity information ID Z , associated with each of its n ancestral lower-level PKGs in the hierarchy.
  • the method begins in block 402 by generating first and second cyclic groups T ⁇ and r 2 of elements.
  • a function e is selected, such that the function e is capable of generating an element of the second cyclic group r 2 from two elements of the first cyclic group Fi.
  • the function e preferably is an admissible pairing, as described above.
  • a root generator P 0 of the first cyclic group r** is selected in block 406.
  • a random root key generation secret s 0 associated with and known only to the root PKG 302 is selected.
  • so is an element of the cyclic group ZlqZ.
  • a root key generation parameter Qo soPo is generated in block 410.
  • Qo is an element of the first cyclic group r**.
  • a first function H* is selected such that Hi is capable of generating an element of the first cyclic group r** from a first string of binary digits.
  • a second function H 2 is selected in block 414, such that H 2 is capable of generating a second string of binary digits from an element of the second cyclic group r 2 .
  • the functions of blocks 402 through 414 are part of the HIDE Root Setup algorithm described above, and preferably are performed at about the same time.
  • the functions such as those disclosed in Boneh-Franklin may be used as H* and
  • next series of blocks show the functions performed as part of Lower-level Setup algorithm.
  • a public element P z ⁇ is generated for each of the recipients' n ancestral lower- level PKGs.
  • Each of the public elements, P z ⁇ H ⁇ (ID ⁇ , . . . , ID Z ,) for 1 ⁇ i ⁇ n, preferably is an element of the first cyclic group IN
  • generation of all the public elements P z ⁇ may take place over time, rather than all at once.
  • a lower-level key generation secret s zl is selected (block 418) for each of the recipients' n ancestral lower-level PKGs 304a,b,d.
  • the lower- level key generation secrets s z ⁇ preferably are elements of the cyclic group ZlqZ for 1 ⁇ i ⁇ n, and each lower-level key generation secret s z ⁇ preferably is known only to its associated lower-level PKG. Again, although represented in a single block, selection of all the lower-level key generation secrets s z ⁇ may take place over time, rather than all at once.
  • a lower-level secret element S ZI is generated (block 420) for each of the sender's n ancestral lower-level PKGs.
  • Each lower-level secret element, S zt S Z (,-*i) + s z (,-i)P zl for 1 ⁇ i ⁇ n, preferably is an element of the first cyclic group IN
  • generation of all the secret elements S zl may take place over time, rather than all at once.
  • S 0 may be defined to be the identity element of IN
  • a lower-level key generation parameter Q z ⁇ also is generated (block 422) for each of the recipients' n ancestral lower-level PKGs.
  • Each of the key generation parameters, Q z ⁇ s zl Po for 1 ⁇ ⁇ n , preferably is an element of the first cyclic group T ⁇ .
  • generation of all the key generation parameters Q z ⁇ may take place over time, rather than all at once.
  • a recipient public element P Z Cosmetic+.) associated with the recipient z is generated in block 424.
  • the recipient public element, -P z(n+1) H ⁇ (ID z ⁇ , . . . , ID z(n+1) ), preferably is an element of the first cyclic group i ⁇
  • a recipient secret element associated with the recipient z is then generated in block 426.
  • the recipient secret element S ⁇ ( .n . ' also p ⁇ referably ⁇ ' is an element of the first cyclic group IN
  • the first function Hi optionally may be chosen to be an iterated function so that, for example, the public points P, may be computed as H (H z (,-i), ID z ,) rather than Hi (ID ⁇ , . . . . ID Z( ).
  • the last two blocks shown in FIG. 4 represent the Encryption and Decryption algorithms described above.
  • block 428 the message Mis encoded to generate a ciphertext C.
  • the encoding preferably uses at least the root key generation parameter Q 0 and the ID-tuple (ID z ⁇ ID z mecanic+ ⁇ >).
  • the ciphertext C is then decoded in block
  • the decoding preferably uses at least the lower-level key generation parameters Q z ⁇ for 1 ⁇ i ⁇ n, and the recipient secret element ⁇ S z impart + i).
  • the blocks shown in FIG. 4 need not all occur in sequence. For instance, a sender who knows a recipient's identity may encrypt communications to the recipient before the recipient obtains its private key.
  • FIG. 5 shows a flow diagram illustrating a method of encoding and decoding a digital message M communicated between a sender y and a recipient z according to another presently preferred embodiment of the invention.
  • the Root Setup, Lower-level Setup, and Extraction algorithms are the same as for the embodiment shown in blocks 402 through 426 of FIG. 4.
  • the flow diagram of FIG. 5 illustrates the Encryption and Decryption algorithms, beginning with the selection of a random encryption parameter r in block 528a.
  • r is an integer of the cyclic group ZlqZ.
  • the ciphertext C includes elements
  • the element g preferably is a member of the second cyclic group r 2 .
  • a BasicHIDE scheme may be converted to a FullHIDE scheme that is chosen ciphertext secure in the random oracle model.
  • a FullHIDE scheme that is chosen ciphertext secure will now be discussed with reference to FIG. 6.
  • FIG. 6 shows a flow diagram illustrating a method of encoding and decoding a digital message M communicated between a sender y and a recipient z according to another presently preferred embodiment of the invention.
  • the Root Setup, Lower-level Setup, and Extraction algorithms are the same for this embodiment of the invention as for the embodiment described with reference to FIG. 4, except that the Root Setup algorithm of this embodiment requires two additional functions. Accordingly, the flow diagram of FIG. 6 begins with the selection of the additional functions (blocks 615a and 615b) and continues with the Encryption and Decryption algorithms (blocks 628a through 630d).
  • the Root Setup algorithm is completed by selecting a third function H 3 (block 615a) and a fourth function H 4 (block 615b).
  • the third function H 3 preferably is capable of generating an integer of the cyclic group ZlqZ from two strings of binary digits.
  • the fourth function H preferably is capable of generating one binary string from another binary string.
  • the Encryption algorithm begins with block 628a, which shows the selection of a random binary string ⁇ .
  • the ciphertext C [Uo, U2 [/ n + ⁇ , V, W ⁇ is generated.
  • the element g preferably is a member of the second cyclic group r 2 .
  • the third part of the ciphertext C is W, the actual message in symmetrically encrypted form, as described above.
  • the Decryption algorithm begins with block 630a, which shows the recovery of the random binary string ⁇ .
  • the random binary string ⁇ is
  • dual- ⁇ IDE The concept of dual- ⁇ IDE described with reference to FIGS. 2 and 3 may be applied to BasicHIDE and FullHIDE schemes.
  • dual-HIDE allows them to increase the efficiency and security of their encrypted communications.
  • the application of dual-HIDE to BasicHIDE and FullHIDE schemes requires the determination of additional information, most of which is determined via the Lower-level Setup algorithm described above. For instance, public elements P y ⁇ , lower-level key generation secrets s yante lower-level secret elements S y ⁇ , and lower-level key generation parameters Q y ⁇ must be determined for the sender's m ancestral lower-level PKGs.
  • Dual-HIDE also requires determination of a sender public element P y ( m + ⁇ > and a sender secret element S i m + f° r the sender, using the same methods for which these parameters are determined for the recipient as described above.
  • a message M may be encoded to generate a ciphertext C according the principles of dual-HIDE by using the lower-level key generation parameters Q y ⁇ for > / and the sender secret element S y(m +D, but not using the lower-level key generation parameters Q y ⁇ for i ⁇ I.
  • the ciphertext C may be decoded to recover the message M using the lower-level key generation parameters Q z ⁇ for i ⁇ I and the recipient secret element S Z( himself+i ) , but not using the lower-level key generation parameters Q z ⁇ for i ⁇ I.
  • FullHIDE also may be modified to create a dual-FullHIDE scheme.
  • PKG / 304b may be any common ancestor PKG.
  • the encryption and decryption algorithms are the same. For maximum efficiency however, it is preferable that PKG / 304b be the lowest common ancestor PKG. --.,,-_,,
  • the dual-HIDE schemes of the present invention also offer increased security by restricting key escrow.
  • all of the recipient's direct ancestor PKGs are able to decrypt messages to the recipient.
  • the dual-HIDE schemes incorporate the key generation secret of PKG / .-i (the immediate parent of PKG / ), which is unknown to the common ancestor PKGs above PKG / .-i, those common ancestor PKGs are not able to decrypt messages between the sender y and the recipient z.
  • the immediate parent of PKG / 304b is still able to decrypt messages, however, because it knows its own key generation secret.
  • Key escrow may be further restricted such that even the immediate parent of PKG / may not decrypt messages between the sender y and the recipient z. This may be accomplished by obscuring PKG/s private key in the process of generating private keys for the sender y and the recipient z (or private keys for children of PKG / that are ancestors of the sender y and the recipient z).
  • the new private key S is just as effective, but is unknown to PKG/s immediate parent. Accordingly, no PKGs above PKG / are able to decode messages encrypted to the recipient z. More specifically, only ancestors of the recipient z that are within PKG/s domain are able to decrypt messages to the recipient z.
  • a user or PKG may change its own secret element S Z ( n+ i) and key generation parameters Q z ⁇ for 1 ⁇ i ⁇ n by choosing values for b t for 1 ⁇ i ⁇ n and setting S z ' (n+l) ⁇ S ( ⁇ +1) + a and -X ⁇ Q H + b j P 0 for 1 ⁇ i ⁇ n.
  • this new private key is still considered to be related to the original private key, and is thus related to the original values of the key generation secrets s z ⁇ .
  • the dual-BasicHIDE Encryption algorithm may be modified such that the ciphertext // 2 (g; ( , +l) )i, where
  • a sender outside the hierarchy may send an encrypted message to the recipient z without computing public elements P zi for all n of the recipient's ancestor PKGs. Rather, the sender may use the parameters for the lower-level authenticated root PKG to encrypt the message more efficiently.
  • the key generation secrets and private keys may be distributed using known techniques of threshold cryptography.
  • FIG. 7 shows a flow diagram illustrating a method of generating and verifying a digital signature according to another presently preferred embodiment of the invention.
  • the method is performed in a HIDS system including a plurality of PKGs.
  • the PKGs include at least a root PKG and n lower-level PKGs in the hierarchy between the root PKG and the sender, or signer, wherein n ⁇ 1.
  • the root PKG selects a root key generation secret known only to the root PKG.
  • the root key generation secret may be used to generate private keys for PKGs or users below the root PKG in the hierarchy.
  • the root PKG then generates a root key generation parameter based on the root key generation secret in block 704.
  • the lower- level PKGs select lower-level key generation secrets in block 706.
  • the lower- level key generation associated with a given lower-level PKG may be used to generate private keys for PKGs or users below the associated lower-level PKG in the hierarchy.
  • each of the lower- level key generation secrets is known only to its associated lower-level PKG.
  • lower-level key generation parameters are generated for each of the n lower-level PKGs.
  • Each of the lower-level key generation parameters is generated using at least the lower-level key generation secret for its associated lower-level PKG.
  • a lower-level PKG generates a private key for the recipient such that the private key is related to at least one of the n lower-level key generation secrets.
  • the sender's private key may be related at least to the lower-level key generation secret of the PKG that issued the private key to the recipient.
  • the recipient's private key may be related to all n of its ancestral PKG's lower-level key generation secrets, as well as the root key generation secret.
  • the sender uses at least its private key to sign the message and generate the digital signature.
  • the recipient, or verifier then verifies the digital signature in block 714 using at least one of the lower-level key generation parameters. For instance, the signature may be verified using only the root key generation parameter. Alternatively, one or more of the lower-level key generation parameters also may be used.
  • FIG. 8 shows a flow diagram illustrating a method of generating and verifying a digital signature Sig of a digital message M communicated between a sender y and a recipient z according to another presently preferred embodiment of the invention.
  • the sender 306 is +1 levels below the root PKG in the hierarchy, as shown in FIG. 3, and is associated with the ID-tuple
  • the sender's ID-tuple includes identity information
  • the method begins in block 802 by generating first and second cyclic groups T ⁇ and r 2 of elements.
  • a function e is selected, such that the function e is capable of generating an element of the second cyclic group r 2 from two elements of the first cyclic group n.
  • the function e preferably is an admissible pairing, as described above.
  • a root generator -P o of the first cyclic group r* ⁇ is selected in block 806.
  • a random root key generation secret -?o associated with and known only to the root PKG 302 is selected.
  • so is an element of the cyclic group ZlqZ.
  • Q 0 is an element of the first cyclic group IN
  • a first function Hi is selected such that Hi is capable of generating an element of the first cyclic group r* ⁇ from a first string of binary digits.
  • a second function H 3 is selected in block 814, such that H 3 is capable of generating a second string of binary digits from an element of the second cyclic group r 2 .
  • the functions of blocks 802 through 814 are part of the ⁇ IDS Root Setup algorithm described above, and preferably are performed at about the same time.
  • Hi and H 3 functions such as those disclosed in Boneh-Franklin may be used as Hi and H 3 .
  • the functions Hi and H 3 may be exactly the same function.
  • the signer's signature may actually be a private key, which thereafter may be used to decrypt messages and forge signatures.
  • This pitfall may be avoided, however, by using some expedient — such as a bit prefix or a different function for H 3 — that distinguishes between signing and private key extraction.
  • next series of blocks show the functions performed as part of Lower-level Setup algorithm.
  • a public element P yi is generated for each of the sender's m ancestral lower- level PKGs.
  • Each of the public elements, P yi H ⁇ (ID ⁇ , . . . , ID ⁇ ,) for 1 ⁇ i ⁇ m, preferably is an element of the first cyclic group T- .
  • generation of all the public elements P yi may take place over time, rather than all at once.
  • a lower-level key generation secret s yi is selected (block 818) for each of the sender's m ancestral lower-level PKGs 304a,b,d.
  • the lower-level key generation secrets s yi preferably are elements of the cyclic group ZlqZ for 1 ⁇ i ⁇ m, and each lower-level key generation secret s yi preferably is known only to its associated lower-level PKG. Again, although represented in a single block, selection of all the secrets s y ⁇ may take place over time, rather than all at once.
  • a lower-level secret element S yi is generated (block 820) for each of the sender's m ancestral lower-level PKGs.
  • S 0 preferably is defined to be the identity element
  • a lower-level key generation parameter Q yi also is generated (block 824) for each of the sender's m ancestral lower-level PKGs.
  • Each of the key generation parameters, Q yi s yi Po for 1 ⁇ i ⁇ m , preferably is an element of the first cyclic group r ⁇ . Again, although represented in a single block, generation of all the key generation parameters Q yi may take place over time, rather than all at once.
  • a sender public element P y ( m +.) associated with the sendery is generated in block 824.
  • the sender public element preferably is an element of the first cyclic group Y
  • a sender secret element S y ⁇ m+ .) associated with the sendery is then generated in block 826.
  • the first function Hi optionally may be chosen to be an iterated function so that, for example, the public points P, may be computed as H ⁇ (P y ⁇ l .- ⁇ ), ⁇ D y ⁇ ) rather than H-i (ID-i, . . . , ID ⁇ ,).
  • the last two blocks shown in FIG. 8 represent the Signing and Verification algorithms described above.
  • the message Mis signed to generate a digital signature Sig In block 828, the message Mis signed to generate a digital signature Sig.
  • the signing preferably uses at least the sender secret element S y ( m+ i).
  • the digital signature Sig is then verified in block 830.
  • the verification preferably uses at least the root key generation parameter Qo and the lower-level key generation parameters Q y ⁇ .
  • FIG. 9 shows a flow diagram illustrating a method of generating and verifying a digital signature Sig of a digital message M communicated between a sendery and a recipient z according to another presently preferred embodiment of the invention.
  • the Root Setup, Lower-level Setup, and Extraction algorithms are the same as for the embodiment shown in blocks 802 through 826 of FIG. 8.
  • the flow diagram of FIG. 9 begins with the selection of a sender key generation secret S y ( m+ i), known only to the sendery, in block 927a.
  • a sender key generation parameter Q y ( m + associated with the sender is generated in block 927b using the formula
  • the message element PM preferably is a member of the first cyclic group IN
  • the recipient verifies the digital signature Sig (block 930) by confirming that the formula - e(Q 0 ,P ] ) is satisfied.
PCT/US2003/008010 2002-03-21 2003-03-18 Hierarchical identity-based encryption and signature schemes WO2003081780A2 (en)

Priority Applications (5)

Application Number Priority Date Filing Date Title
JP2003579369A JP4405810B2 (ja) 2002-03-21 2003-03-18 階層型の同一性に基づく暗号化および署名スキーム
EP03711597A EP1495573B1 (en) 2002-03-21 2003-03-18 Hierarchical identity-based encryption and signature schemes
CN038039109A CN1633774B (zh) 2002-03-21 2003-03-18 基于身份的分级加密与签名方案
AU2003214189A AU2003214189A1 (en) 2002-03-21 2003-03-18 Hierarchical identity-based encryption and signature schemes
DE60325575T DE60325575D1 (de) 2002-03-21 2003-03-18 Hierarchische verchlüsselung auf identitätsbasis und signaturschemata

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
US36629202P 2002-03-21 2002-03-21
US36619602P 2002-03-21 2002-03-21
US60/366,292 2002-03-21
US60/366,196 2002-03-21
US10/384,328 US7349538B2 (en) 2002-03-21 2003-03-07 Hierarchical identity-based encryption and signature schemes
US10/384,328 2003-03-07

Publications (2)

Publication Number Publication Date
WO2003081780A2 true WO2003081780A2 (en) 2003-10-02
WO2003081780A3 WO2003081780A3 (en) 2004-02-19

Family

ID=28046523

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2003/008010 WO2003081780A2 (en) 2002-03-21 2003-03-18 Hierarchical identity-based encryption and signature schemes

Country Status (8)

Country Link
US (4) US7349538B2 (US07443980-20081028-P00076.png)
EP (3) EP1495573B1 (US07443980-20081028-P00076.png)
JP (1) JP4405810B2 (US07443980-20081028-P00076.png)
CN (1) CN1633774B (US07443980-20081028-P00076.png)
AT (1) ATE419690T1 (US07443980-20081028-P00076.png)
AU (1) AU2003214189A1 (US07443980-20081028-P00076.png)
DE (1) DE60325575D1 (US07443980-20081028-P00076.png)
WO (1) WO2003081780A2 (US07443980-20081028-P00076.png)

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009044763A (ja) * 2002-11-14 2009-02-26 Voltage Security Inc 識別ベースの暗号化システム
WO2012108100A1 (ja) * 2011-02-09 2012-08-16 三菱電機株式会社 暗号処理システム、鍵生成装置、暗号化装置、復号装置、鍵委譲装置、暗号処理方法及び暗号処理プログラム

Families Citing this family (86)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7349538B2 (en) 2002-03-21 2008-03-25 Ntt Docomo Inc. Hierarchical identity-based encryption and signature schemes
CN101453332A (zh) * 2002-04-15 2009-06-10 株式会社Ntt都科摩 利用双线性映射的签名方案
GB0215524D0 (en) * 2002-07-05 2002-08-14 Hewlett Packard Co Method and apparatus for generating a cryptographic key
US20050089173A1 (en) * 2002-07-05 2005-04-28 Harrison Keith A. Trusted authority for identifier-based cryptography
GB0215590D0 (en) * 2002-07-05 2002-08-14 Hewlett Packard Co Method and apparatus for generating a cryptographic key
CN1679271A (zh) * 2002-08-28 2005-10-05 美国多科摩通讯研究所股份有限公司 基于认证的加密和公共密钥基础结构
US7003117B2 (en) * 2003-02-05 2006-02-21 Voltage Security, Inc. Identity-based encryption system for secure data distribution
US8108678B1 (en) * 2003-02-10 2012-01-31 Voltage Security, Inc. Identity-based signcryption system
KR100507809B1 (ko) * 2003-03-19 2005-08-17 학교법인 한국정보통신학원 네트워크상에서의 겹선형쌍 디피-헬만 문제를 이용한 익명핑거프린팅 방법
GB2400699B (en) * 2003-04-17 2006-07-05 Hewlett Packard Development Co Security data provision method and apparatus and data recovery method and system
US7580521B1 (en) * 2003-06-25 2009-08-25 Voltage Security, Inc. Identity-based-encryption system with hidden public key attributes
US7017181B2 (en) * 2003-06-25 2006-03-21 Voltage Security, Inc. Identity-based-encryption messaging system with public parameter host servers
US7103911B2 (en) * 2003-10-17 2006-09-05 Voltage Security, Inc. Identity-based-encryption system with district policy information
CA2543796C (en) 2003-10-28 2015-12-08 Certicom Corp. Method and apparatus for verifiable generation of public keys
US20050135610A1 (en) * 2003-11-01 2005-06-23 Liqun Chen Identifier-based signcryption
GB2416282B (en) * 2004-07-15 2007-05-16 Hewlett Packard Development Co Identifier-based signcryption with two trusted authorities
WO2006034428A2 (en) * 2004-09-20 2006-03-30 Pgp Corporation Apparatus and method for identity-based encryption within a conventional public-key infrastructure
US20060078790A1 (en) * 2004-10-05 2006-04-13 Polyplus Battery Company Solid electrolytes based on lithium hafnium phosphate for active metal anode protection
US7613193B2 (en) * 2005-02-04 2009-11-03 Nokia Corporation Apparatus, method and computer program product to reduce TCP flooding attacks while conserving wireless network bandwidth
JP2007004461A (ja) * 2005-06-23 2007-01-11 Nec Corp サービス提供システム、アウトソーシング業者装置、サービス提供方法およびプログラム
US20070050303A1 (en) * 2005-08-24 2007-03-01 Schroeder Dale W Biometric identification device
US7788484B2 (en) * 2005-11-30 2010-08-31 Microsoft Corporation Using hierarchical identity based cryptography for authenticating outbound mail
CN1859086B (zh) * 2005-12-31 2010-06-09 华为技术有限公司 一种内容分级访问控制系统和方法
GB2434947B (en) * 2006-02-02 2011-01-26 Identum Ltd Electronic data communication system
CN100542091C (zh) * 2006-07-07 2009-09-16 上海交通大学 一种基于身份的密钥生成方法及系统
US8670564B1 (en) 2006-08-14 2014-03-11 Key Holdings, LLC Data encryption system and method
US7900252B2 (en) * 2006-08-28 2011-03-01 Lenovo (Singapore) Pte. Ltd. Method and apparatus for managing shared passwords on a multi-user computer
US20080133905A1 (en) * 2006-11-30 2008-06-05 David Carroll Challener Apparatus, system, and method for remotely accessing a shared password
US8340284B2 (en) * 2007-02-13 2012-12-25 Nec Corporation Key generation device, key derivation device, encryption device, decryption device, method and program
EP1986146A1 (en) * 2007-04-27 2008-10-29 Gemplus Transaction method between two entities providing anonymity revocation for tree-based schemes without trusted party
US7890763B1 (en) * 2007-09-14 2011-02-15 The United States Of America As Represented By The Director, National Security Agency Method of identifying invalid digital signatures involving batch verification
JPWO2009110055A1 (ja) * 2008-03-03 2011-07-14 株式会社Pfu 画像処理システム、方法およびプログラム
CN101567784B (zh) * 2008-04-21 2016-03-30 华为数字技术(成都)有限公司 一种获取密钥的方法、系统和设备
US8656177B2 (en) * 2008-06-23 2014-02-18 Voltage Security, Inc. Identity-based-encryption system
US9425960B2 (en) * 2008-10-17 2016-08-23 Sap Se Searchable encryption for outsourcing data analytics
US8315395B2 (en) * 2008-12-10 2012-11-20 Oracle America, Inc. Nearly-stateless key escrow service
US9165154B2 (en) * 2009-02-16 2015-10-20 Microsoft Technology Licensing, Llc Trusted cloud computing and services framework
US8341427B2 (en) * 2009-02-16 2012-12-25 Microsoft Corporation Trusted cloud computing and services framework
US8837718B2 (en) * 2009-03-27 2014-09-16 Microsoft Corporation User-specified sharing of data via policy and/or inference from a hierarchical cryptographic store
WO2010123116A1 (ja) * 2009-04-24 2010-10-28 日本電信電話株式会社 情報生成装置、方法、プログラム及びその記録媒体
DE102009027268B3 (de) * 2009-06-29 2010-12-02 Bundesdruckerei Gmbh Verfahren zur Erzeugung eines Identifikators
US8938068B2 (en) * 2009-08-03 2015-01-20 Nippon Telegraph And Telephone Corporation Functional encryption applied system, information output apparatus, information processing apparatus, encryption protocol execution method, information output method, information processing method, program and recording medium
JP2011082662A (ja) * 2009-10-05 2011-04-21 Mitsubishi Electric Corp 通信装置及び情報処理方法及びプログラム
CN101820626B (zh) * 2009-10-19 2013-04-10 兰州理工大学 基于无线mesh网络身份的无可信pkg的部分盲签名方法
US8488783B2 (en) * 2010-02-19 2013-07-16 Nokia Method and apparatus for applying recipient criteria in identity-based encryption
WO2011147092A1 (zh) * 2010-05-27 2011-12-01 华南理工大学 一种基于线性几何的等级群组密钥管理方法
US20120069995A1 (en) * 2010-09-22 2012-03-22 Seagate Technology Llc Controller chip with zeroizable root key
JP5693206B2 (ja) * 2010-12-22 2015-04-01 三菱電機株式会社 暗号処理システム、鍵生成装置、暗号化装置、復号装置、暗号処理方法及び暗号処理プログラム
CN102123138B (zh) * 2011-01-04 2014-12-10 南京邮电大学 物联网中基于ons的安全加密方法
JP5501482B2 (ja) * 2011-01-18 2014-05-21 三菱電機株式会社 暗号システム、暗号システムの暗号処理方法、暗号化装置、暗号化プログラム、復号装置および復号プログラム
WO2012141556A2 (en) * 2011-04-15 2012-10-18 Samsung Electronics Co., Ltd. Machine-to-machine node erase procedure
KR101301609B1 (ko) * 2012-05-31 2013-08-29 서울대학교산학협력단 비밀키 생성 장치 및 방법, 그리고 그 방법을 컴퓨터에서 실행시키기 위한 프로그램을 기록한 기록매체
US10148285B1 (en) 2012-07-25 2018-12-04 Erich Schmitt Abstraction and de-abstraction of a digital data stream
EP2947641B1 (en) * 2013-01-16 2018-03-14 Mitsubishi Electric Corporation Information processing device, information processing method, and program
US10795858B1 (en) 2014-02-18 2020-10-06 Erich Schmitt Universal abstraction and de-abstraction of a digital data stream
US9692759B1 (en) 2014-04-14 2017-06-27 Trend Micro Incorporated Control of cloud application access for enterprise customers
CN105207969A (zh) * 2014-06-10 2015-12-30 江苏大泰信息技术有限公司 一种应用于物联网低功耗环境下的轻量级流式加密方法
DE102014213454A1 (de) * 2014-07-10 2016-01-14 Siemens Aktiengesellschaft Verfahren und System zur Erkennung einer Manipulation von Datensätzen
US10333696B2 (en) 2015-01-12 2019-06-25 X-Prime, Inc. Systems and methods for implementing an efficient, scalable homomorphic transformation of encrypted data with minimal data expansion and improved processing efficiency
WO2016118523A1 (en) 2015-01-19 2016-07-28 InAuth, Inc. Systems and methods for trusted path secure communication
FR3033466B1 (fr) * 2015-03-04 2017-02-17 Inria Inst Nat De Rech En Informatique Et En Automatique Dispositif et procede d'administration d'un serveur de sequestres numeriques
CN105024821B (zh) * 2015-07-13 2018-10-30 广东恒睿科技有限公司 格上可撤销的基于身份的加密方法
CN105024822B (zh) * 2015-07-13 2018-11-13 上海星地通讯工程研究所 来自多线性映射的基于身份加密方法
CN105049211B (zh) * 2015-07-13 2018-11-27 深圳康元智能科技有限公司 格上基于累积器的可撤销的基于身份的加密方法
CN105187202B (zh) * 2015-07-13 2018-12-21 重庆涔信科技有限公司 基于完全二叉树的可撤销的属性加密方法
FR3043482B1 (fr) * 2015-11-06 2018-09-21 Ingenico Group Procede d'enregistrement securise de donnees, dispositif et programme correspondants
CN105553654B (zh) * 2015-12-31 2019-09-03 广东信鉴信息科技有限公司 密钥信息处理方法和装置、密钥信息管理系统
CN105743646B (zh) * 2016-02-03 2019-05-10 四川长虹电器股份有限公司 一种基于身份的加密方法及系统
US10050946B2 (en) * 2016-06-17 2018-08-14 The Boeing Company Secured data transmission using identity-based cryptography
JP6721832B2 (ja) * 2016-08-24 2020-07-15 富士通株式会社 データ変換プログラム、データ変換装置及びデータ変換方法
CN106453052B (zh) * 2016-10-14 2020-06-19 北京小米移动软件有限公司 消息交互方法及装置
CN108011715B (zh) * 2016-10-31 2021-03-23 华为技术有限公司 一种密钥的分发方法、相关设备和系统
CN106911704B (zh) * 2017-03-13 2020-10-09 北京轻信科技有限公司 一种基于区块链的加密解密方法
US11128452B2 (en) * 2017-03-25 2021-09-21 AVAST Software s.r.o. Encrypted data sharing with a hierarchical key structure
US10411891B2 (en) * 2017-06-28 2019-09-10 Nxp B.V. Distance-revealing encryption
CN109218016B (zh) * 2017-07-06 2020-05-26 北京嘀嘀无限科技发展有限公司 数据传输方法及装置、服务器、计算机设备和存储介质
CN107679262B (zh) * 2017-08-11 2021-03-26 上海集成电路研发中心有限公司 一种mos器件衬底外围寄生电阻的建模方法
US11146397B2 (en) * 2017-10-31 2021-10-12 Micro Focus Llc Encoding abelian variety-based ciphertext with metadata
CN112425132B (zh) 2018-07-17 2024-02-20 瑞典爱立信有限公司 用于促进订户与服务提供商之间的安全通信的方法和设备
JP2020068437A (ja) * 2018-10-23 2020-04-30 株式会社アメニディ アクセス管理装置、及びプログラム
US11128454B2 (en) 2019-05-30 2021-09-21 Bong Mann Kim Quantum safe cryptography and advanced encryption and key exchange (AEKE) method for symmetric key encryption/exchange
CN110266492B (zh) * 2019-05-31 2023-06-09 中国能源建设集团甘肃省电力设计院有限公司 一种可追踪的泛在电力物联网身份认证方法
AU2020329777A1 (en) 2019-08-12 2022-01-27 Audio Visual Preservation Solutions, Inc. Source identifying forensics system, device, and method for multimedia files
JP7444378B2 (ja) 2021-01-08 2024-03-06 日本電信電話株式会社 鍵交換システム、通信端末、情報処理装置、鍵交換方法、及びプログラム
CN113259093B (zh) * 2021-04-21 2022-03-25 山东大学 基于身份基加密的层级签名加密系统与构建方法
CN113297630B (zh) * 2021-05-27 2022-09-30 河南科技大学 一种前向安全群签名管理方法

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4309569A (en) * 1979-09-05 1982-01-05 The Board Of Trustees Of The Leland Stanford Junior University Method of providing digital signatures
US5590197A (en) * 1995-04-04 1996-12-31 V-One Corporation Electronic payment system and method
EP1051036A2 (en) * 1999-05-07 2000-11-08 Lucent Technologies Inc. Cryptographic method and apparatus for restricting access to transmitted programming content using hash functions and program identifiers
US20020154782A1 (en) * 2001-03-23 2002-10-24 Chow Richard T. System and method for key distribution to maintain secure communication

Family Cites Families (33)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5432852A (en) * 1993-09-29 1995-07-11 Leighton; Frank T. Large provably fast and secure digital signature schemes based on secure hash functions
US5708714A (en) * 1994-07-29 1998-01-13 Canon Kabushiki Kaisha Method for sharing secret information and performing certification in a communication system that has a plurality of information processing apparatuses
EP0804758B1 (en) * 1994-07-29 2005-11-09 Certicom Corp. Elliptic curve encryption systems
CA2223305A1 (en) * 1995-06-05 1996-12-12 Certco Llc Multi-step digital signature method and system
US5774552A (en) * 1995-12-13 1998-06-30 Ncr Corporation Method and apparatus for retrieving X.509 certificates from an X.500 directory
US5638447A (en) * 1996-05-15 1997-06-10 Micali; Silvio Compact digital signatures
US6212637B1 (en) * 1997-07-04 2001-04-03 Nippon Telegraph And Telephone Corporation Method and apparatus for en-bloc verification of plural digital signatures and recording medium with the method recorded thereon
US6298153B1 (en) * 1998-01-16 2001-10-02 Canon Kabushiki Kaisha Digital signature method and information communication system and apparatus using such method
US6754820B1 (en) * 2001-01-30 2004-06-22 Tecsec, Inc. Multiple level access system
US6826687B1 (en) * 1999-05-07 2004-11-30 International Business Machines Corporation Commitments in signatures
US6760441B1 (en) * 2000-03-31 2004-07-06 Intel Corporation Generating a key hieararchy for use in an isolated execution environment
JP4622064B2 (ja) * 2000-04-06 2011-02-02 ソニー株式会社 情報記録装置、情報再生装置、情報記録方法、情報再生方法、および情報記録媒体、並びにプログラム提供媒体
JP4660899B2 (ja) * 2000-07-24 2011-03-30 ソニー株式会社 データ処理装置およびデータ処理方法、並びにプログラム提供媒体
WO2002013435A1 (en) * 2000-08-04 2002-02-14 First Data Corporation Method and system for using electronic communications for an electronic contact
US6886296B1 (en) * 2000-08-14 2005-05-03 Michael John Wooden post protective sleeve
US20020025034A1 (en) * 2000-08-18 2002-02-28 Solinas Jerome Anthony Cryptographic encryption method using efficient elliptic curve
JP4622087B2 (ja) * 2000-11-09 2011-02-02 ソニー株式会社 情報処理装置、および情報処理方法、並びにプログラム記憶媒体
US7088822B2 (en) * 2001-02-13 2006-08-08 Sony Corporation Information playback device, information recording device, information playback method, information recording method, and information recording medium and program storage medium used therewith
EP1425874B1 (en) * 2001-08-13 2010-04-21 Board Of Trustees Of The Leland Stanford Junior University Systems and methods for identity-based encryption and related cryptographic techniques
US7093133B2 (en) * 2001-12-20 2006-08-15 Hewlett-Packard Development Company, L.P. Group signature generation system using multiple primes
US7349538B2 (en) 2002-03-21 2008-03-25 Ntt Docomo Inc. Hierarchical identity-based encryption and signature schemes
CN101453332A (zh) * 2002-04-15 2009-06-10 株式会社Ntt都科摩 利用双线性映射的签名方案
CN1679271A (zh) * 2002-08-28 2005-10-05 美国多科摩通讯研究所股份有限公司 基于认证的加密和公共密钥基础结构
CN100499450C (zh) * 2003-04-22 2009-06-10 国际商业机器公司 数字资源的分层密钥生成方法及其设备
FR2855343B1 (fr) * 2003-05-20 2005-10-07 France Telecom Procede de signature electronique de groupe avec anonymat revocable, equipements et programmes pour la mise en oeuvre du procede
KR100537514B1 (ko) * 2003-11-01 2005-12-19 삼성전자주식회사 그룹 구성원의 신원 정보를 기반으로 한 전자 서명 방법및 전자 서명을 수행한 그룹 구성원의 신원 정보를획득하기 위한 방법 및 그룹 구성원의 신원 정보를기반으로 한 전자 서명 시스템
DE60315853D1 (de) * 2003-12-24 2007-10-04 St Microelectronics Srl Verfahren zur Entschlüsselung einer Nachricht
US20090024852A1 (en) * 2004-01-23 2009-01-22 Shoko Yonezawa Group signature system, method, device, and program
JP4546231B2 (ja) * 2004-12-09 2010-09-15 株式会社日立製作所 Idベース署名及び暗号化システムおよび方法
KR100909503B1 (ko) * 2005-01-21 2009-07-27 닛본 덴끼 가부시끼가이샤 그룹 서명 방식
KR100737876B1 (ko) * 2005-02-25 2007-07-12 삼성전자주식회사 계층적 문턱 트리에 기반한 브로드캐스트 암호화 방법
JP5029358B2 (ja) * 2005-07-19 2012-09-19 日本電気株式会社 鍵発行方法、グループ署名システム
US8060741B2 (en) * 2006-12-29 2011-11-15 Industrial Technology Research Institute System and method for wireless mobile network authentication

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US4309569A (en) * 1979-09-05 1982-01-05 The Board Of Trustees Of The Leland Stanford Junior University Method of providing digital signatures
US5590197A (en) * 1995-04-04 1996-12-31 V-One Corporation Electronic payment system and method
EP1051036A2 (en) * 1999-05-07 2000-11-08 Lucent Technologies Inc. Cryptographic method and apparatus for restricting access to transmitted programming content using hash functions and program identifiers
US20020154782A1 (en) * 2001-03-23 2002-10-24 Chow Richard T. System and method for key distribution to maintain secure communication

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP1495573A2 *

Cited By (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2009044763A (ja) * 2002-11-14 2009-02-26 Voltage Security Inc 識別ベースの暗号化システム
WO2012108100A1 (ja) * 2011-02-09 2012-08-16 三菱電機株式会社 暗号処理システム、鍵生成装置、暗号化装置、復号装置、鍵委譲装置、暗号処理方法及び暗号処理プログラム
JP2012163917A (ja) * 2011-02-09 2012-08-30 Mitsubishi Electric Corp 暗号処理システム、鍵生成装置、暗号化装置、復号装置、鍵委譲装置、暗号処理方法及び暗号処理プログラム
CN103354984A (zh) * 2011-02-09 2013-10-16 三菱电机株式会社 密码处理系统、密钥生成装置、加密装置、解密装置、密钥移交装置、密码处理方法以及密码处理程序
KR101432462B1 (ko) 2011-02-09 2014-08-20 미쓰비시덴키 가부시키가이샤 암호 처리 시스템, 키 생성 장치, 암호화 장치, 복호 장치, 키 위양 장치, 암호 처리 방법 및 암호 처리 프로그램을 기록한 컴퓨터 판독 가능한 기록 매체
US9385867B2 (en) 2011-02-09 2016-07-05 Mitsubishi Electric Corporation Cryptographic processing system, key generation device, encryption device, decryption device, key delegation device, cryptographic processing method, and cryptographic processing program

Also Published As

Publication number Publication date
EP2012459A1 (en) 2009-01-07
US20080052521A1 (en) 2008-02-28
EP2309671A2 (en) 2011-04-13
US7337322B2 (en) 2008-02-26
EP1495573A2 (en) 2005-01-12
EP1495573A4 (en) 2006-10-11
EP1495573B1 (en) 2008-12-31
CN1633774B (zh) 2011-12-07
AU2003214189A1 (en) 2003-10-08
US7590854B2 (en) 2009-09-15
US20030179885A1 (en) 2003-09-25
CN1633774A (zh) 2005-06-29
WO2003081780A3 (en) 2004-02-19
ATE419690T1 (de) 2009-01-15
AU2003214189A8 (en) 2003-10-08
EP2309671A3 (en) 2013-08-28
US20070050629A1 (en) 2007-03-01
JP2005521323A (ja) 2005-07-14
US7349538B2 (en) 2008-03-25
DE60325575D1 (de) 2009-02-12
US7443980B2 (en) 2008-10-28
JP4405810B2 (ja) 2010-01-27
US20080013722A1 (en) 2008-01-17

Similar Documents

Publication Publication Date Title
US7337322B2 (en) Hierarchical identity-based encryption and signature schemes
Gentry et al. Hierarchical ID-based cryptography
Chen et al. Fully secure attribute-based systems with short ciphertexts/signatures and threshold access structures
Zheng et al. A strong provably secure IBE scheme without bilinear map
Ishida et al. Constructions of CCA-secure revocable identity-based encryption
Cheng et al. Remove key escrow from the identity-based encryption system
Khullar et al. An efficient identity based multi-receiver signcryption scheme using ECC
Huige et al. ID-based proxy re-signcryption scheme
Balasubramanian et al. Implementation of algorithms for identity based encryption and decryption
Gupta An IBE-based authenticated key transfer protocol on elliptic curves
Li et al. A new multi-receiver ID-based signcryption scheme for group communications
Wang et al. Hierarchial Identity-Based Encryption Scheme from Multilinear Maps
Kushwah et al. Efficient generalized signcryption schemes
Heng et al. k-Resilient identity-based encryption in the standard model
an Wang et al. On the role of pkg for proxy re-encryption in identity based setting
Karati et al. Cryptanalysis of Zheng et al.'s pairing-free secure IBE scheme
Ahmad et al. TIBC: Trade-off between Identity-Based and Certificateless Cryptography for future internet
Rahman et al. Decentralized ciphertext-policy attribute-based encryption from learning with errors over rings
CN111447064B (zh) 一种适用于无证书加密的密码逆向防火墙方法
Tian et al. Security of a biometric identity-based encryption scheme
Sahana Raj et al. Efficiently Revocable Identity-Based Broadcast Encryption Using Integer Matrices as Keys
Lal et al. Multi-PKG ID based signcryption
Balasubramanian et al. Security of Identity-Based Encryption Algorithms
Lee et al. Identity-based signcryption from identity-based cryptography
Hu et al. Fully secure identity based proxy re-encryption schemes in the standard model

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NI NO NZ OM PH PL PT RO RU SC SD SE SG SK SL TJ TM TN TR TT TZ UA UG UZ VC VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE BG CH CY CZ DE DK EE ES FI FR GB GR HU IE IT LU MC NL PT RO SE SI SK TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
WWE Wipo information: entry into national phase

Ref document number: 2003579369

Country of ref document: JP

WWE Wipo information: entry into national phase

Ref document number: 20038039109

Country of ref document: CN

WWE Wipo information: entry into national phase

Ref document number: 2003711597

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 2003711597

Country of ref document: EP