Next Article in Journal
Note on Type 2 Degenerate q-Bernoulli Polynomials
Next Article in Special Issue
Smart Contract-Based Pool Hopping Attack Prevention for Blockchain Networks
Previous Article in Journal
An Enhanced Algorithm of RNN Using Trend in Time-Series
Previous Article in Special Issue
Improved Sparse Coding Algorithm with Device-Free Localization Technique for Intrusion Detection and Monitoring
 
 
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:
Background:
Article

Efficient Hierarchical Identity-Based Encryption System for Internet of Things Infrastructure

1
School of Computer and Information Technology, Shanxi University, Taiyuan 030006, China
2
School of Electrical and Computer Engineering, Xiamen University Malaysia, Jalan Sunsuria, Bandar Sunsuria, Sepang 43900, Selangor Darul Ehsan, Malaysia
*
Author to whom correspondence should be addressed.
Symmetry 2019, 11(7), 913; https://doi.org/10.3390/sym11070913
Submission received: 19 June 2019 / Revised: 4 July 2019 / Accepted: 8 July 2019 / Published: 13 July 2019

Abstract

:
Security is a main concern for the Internet of Things (IoT) infrastructure as large volumes of data are collected and processed in the systems. Due to the limited resources of interconnected sensors and devices in the IoT systems, efficiency is one of the key considerations when deploying security solutions (e.g., symmetric/asymmetric encryption, authentication, etc.) in IoT. In this paper, we present an efficient Hierarchical Identity-Based Encryption (HIBE) system with short parameters for protecting data confidentiality in distributed IoT infrastructure. Our proposed HIBE system has the public parameters, private key, and ciphertext, each consisting of a constant number of group elements. We prove the full security of the HIBE system in the standard model using the dual system encryption technique. We also implement the proposed scheme and compare the performance with the original Lewko–Waters HIBE. To the best of our knowledge, our construction is the first HIBE system that achieves both full security in the standard model and short parameters in terms of the public parameters, private key, and ciphertext.

1. Introduction

Encryption is a security solution used for data confidentiality protection. There are two types of encryption systems, namely symmetric and asymmetric. A symmetric encryption system uses the same key for encryption and decryption. In an asymmetric encryption (also known as public-key encryption) system, a public key of the data recipient is used for encryption, and the private key is used for decryption. In 1984, Shamir [1] proposed the idea of identity-based cryptography where the identity (ID) of a user is used as a public key, and a third party, called the Private Key Generator (PKG), is responsible for generating a private key for the user. This approach simplifies the problem of managing digital certificates in traditional public key systems. It was only in 2001 that Boneh and Franklin [2] constructed the first Identity-Based Encryption (IBE) scheme from the Weil pairing with chosen ciphertext security in the random oracle model. Many IBE schemes [3,4,5] were then proposed and proven secure in the standard model. Horwitz and Lynn [6] introduced the notion of Hierarchical Identity-Based Encryption (HIBE), which gives more flexibility for users to share and manage sensitive data. In an HIBE scheme, private keys at a lower level of PKG can be issued by a higher level of PKG. This reduces the burden for a single PKG setting of IBE.
One of the main design issues for the HIBE system is to obtain an efficient scheme with short parameters (e.g., public parameters, private key, ciphertext). It is desirable to design an HIBE scheme with parameters that are independent of the maximum hierarchy depth or the depth of user identity. Otherwise, it is not practical to be implemented in the application due to high computation and communication cost. In terms of security, it is desirable to have an HIBE system with full security as compared to selective-identity security. Many previous HIBE schemes have been designed in the direction of achieving the above properties. However, most previous realizations of HIBE systems [7] only provided the above features partially, i.e., achieving constant-size ciphertext (resp. private key), but the private key (resp. ciphertext) still depends on the hierarchy depth.

1.1. Applications

The hierarchical structure and the key delegation property of HIBE make it an ideal security solution for protecting data confidentiality in the emerging computing and network environments, such as cloud storage, smart home systems, mobile networks, and the Internet of Things (IoT) [8,9,10,11,12]. The advantage of an HIBE system is that it provides the scalability of IBE system in a distributed network environment by reducing the workload of a root PKG. This can be achieved by delegating lower-level sub-PKGs for key generation.
Consider the applications in IoT where many sensors and devices are interconnected. HIBE can be deployed in the IoT system such as the unit IoT and Ubiquitous IoT (U2IoT) architecture [13,14] to support secure data storage and exchange. In the U2IoT architecture, multiple interconnected sensors or devices form a unit IoT. A local IoT and industrial IoT comprise multiple unit IoT within a region or an industry, respectively. The local IoT and industrial IoT in a country are integrated by a national IoT to form the ubiquitous IoT. Data collected and exchanged by each IoT system in this architecture are managed by a Unit Data Center (UDC), Local Data Center (LDC), Industry Data Center (IDC), and National Data Center (NDC), respectively.
The root PKG of HIBE can be deployed in NDC, which delegates LDC and IDC as the sub-PKGs. The delegations follow the paths in the hierarchical structure as shown in Figure 1, where the lowest level is formed by the sensors. The NDC is responsible for generating the public parameters of the whole system. It also generates the private keys used by LDC and IDC, respectively. Subsequently, the task of key generation can be delegated to LDC and IDC for generating private keys of the UDC under their management. The private keys used by the sensors at the lowest level can be obtained from their respective UDC. Due to the constraint of the computation capability and power supply of the sensors in the IoT system, it is desirable to implement an efficient and secure HIBE system with short public parameters, private key, or ciphertext.

1.2. Our Contributions

We present an efficient HIBE system with a constant size of public parameters, private key, and ciphertext based on the composite order group. In particular, both the private key and ciphertext of our proposed HIBE system contain only three group elements, respectively. Our improved HIBE system is constructed by tweaking the HIBE system of Lewko and Waters [7]. The proposed HIBE construction is more efficient than [7] in terms of the runtime for key generation and encryption, as well as the size of public parameters and the private key. We apply the dual system encryption technique to prove the full security under three static assumptions. We believe that our system is the first one that achieves both full security and a constant size of public parameters, private key, and ciphertext.

1.3. Related Work

Horwitz and Lynn [6] first presented the concept of HIBE. In 2002, Gentry and Silverberg [15] constructed the first HIBE scheme, which was proven secure in the random oracle model. An efficient selective-ID secure HIBE without the random oracle was proposed by Boneh and Boyen [16]. Since then, some fully-secure HIBE schemes [17,18] without the random oracle were presented. The security of the above schemes was proven using a partitioning strategy [19], which divided the identity space into identities that were used in the key query phase and challenge phase, respectively. IBE systems that were proven secure using this technique generally had large public parameters, which make them impractical. The partitioning approach is also inadequate to use for proving the security of HIBE systems.
These limitations were highlighted by Waters [19] and solved with his dual-system encryption approach. Waters realized a fully-secure HIBE system with linear-sized ciphertext based on the proof technique in [19]. Lewko and Waters [7] proposed a new technique for dual-system encryption in composite order bilinear groups. They constructed the HIBE system with constant-size ciphertexts without tags. Angelo, Vincenzo, and Giuseppe [20] modified the HIBE construction of [7] to achieve anonymity. Some other recent fully-secure HIBE systems, which were proven using the dual-system encryption technique, include [21,22]. Chen and Wee [21] proposed a compact HIBE scheme in prime-order groups, but the scheme had a linear-sized private key and ciphertext. In [22], a fully-secure and anonymous HIBE scheme with short ciphertexts in prime order (asymmetric) bilinear groups was proposed. However, the size of public parameters and the private key of their HIBE scheme grew linearly with the hierarchy depth.
Park and Lee [23] constructed the first anonymous HIBE with constant-size ciphertext over prime-order groups, which was proven secure without random oracles. The anonymous HIBE scheme proposed in [24] had a constant size of the private key and ciphertext. However, we note that their HIBE construction was only secure against selective-identity-chosen plaintext attack. Hu et al. [25] also proposed an HIBE system that achieved a constant-size ciphertext and private key without random oracle, but the size of the public parameters depended on the hierarchy depth. Since the proposed Revocable Hierarchical Identity-Based Encryption (RHIBE) by Seo and Emura [26], there have been many studies on the construction of more efficient RHIBE in terms of shorter public parameters, private key, update key, or ciphertext [27,28,29,30,31,32].

1.4. Paper Organization

Definitions of the HIBE system and complexity assumptions are briefly reviewed in Section 2. Our improved HIBE scheme is described in Section 3. The security proof is shown in Section 4. Section 5 compares the performance of our construction with the HIBE system in [7]. Section 6 gives the conclusions and an open problem of our improved scheme.

2. Preliminaries

2.1. Bilinear Groups

Let q 1 , q 2 , q 3 be distinct primes and G and G T be cyclic groups of order N = q 1 q 2 q 3 . To define composite order bilinear groups [33], we use a group generating algorithm G , which takes a security parameter k as input and outputs a tuple ( N = q 1 q 2 q 3 , G , G T , e ) , where e : G × G G T is a map with the following properties:
  • (Bilinear) g , h G , a , b Z N , e ( g a , h b ) = e ( g , h ) a b .
  • (Non-degenerate) g G such that e ( g , g ) has order N in G T .
Here, we let G q 1 , G q 2 , and G q 3 denote the subgroups of order q 1 , q 2 , and q 3 in G , respectively. Given h i G q i and h j G q j for i j , we have e ( h i , h j ) = 1 (i.e., the identity element in G T ). This is known as the orthogonality property, and it will be used in our construction.

2.2. Complexity Assumptions

We use the complexity assumptions introduced in [7] to prove the security of our HIBE system. In the assumptions below, we let G q 1 q 2 denote the subgroup of order q 1 q 2 in G and G q 1 q 3 denote the subgroup of order q 1 q 3 in G .
Assumption 1.
The following distribution is defined based on a group generator G :
( N = q 1 q 2 q 3 , G , G T , e ) G ,
g 1 G q 1 , U 3 G q 3 ,
D = ( N , G , G T , e , g 1 , U 3 ) ,
T 1 G q 1 q 2 , T 2 G q 1 .
For an adversary B , we define the advantage as follows:
Adv B A 1 ( k ) = | P r [ B ( D , T 1 ) = 1 ] P r [ B ( D , T 2 ) = 1 ] | .
Definition 1.
We say that a group generator G satisfies Assumption 1 if for all polynomial time adversaries B , we have that Adv B A 1 ( k ) is negligible.
Assumption 2.
The following distribution is defined based on a group generator G :
( N = q 1 q 2 q 3 , G , G T , e ) G ,
g 1 , U 1 G q 1 , U 2 , V 2 G q 2 , U 3 , V 3 G q 3 ,
D = ( N , G , G T , e , g 1 , U 1 U 2 , U 3 , V 2 V 3 ) ,
T 1 G , T 2 G q 1 q 3 .
For an adversary B , we define the advantage as follows:
Adv B A 2 ( k ) = | P r [ B ( D , T 1 ) = 1 ] P r [ B ( D , T 2 ) = 1 ] | .
Definition 2.
We say that a group generator G satisfies Assumption 2 if for all polynomial time adversaries B , we have that Adv B A 2 ( k ) is negligible.
Assumption 3.
The following distribution is defined based on a group generator G :
( N = q 1 q 2 q 3 , G , G T , e ) G , α , s Z N ,
g 1 G q 1 , U 2 , V 2 , W 2 G q 2 , U 3 G q 3 ,
D = ( N , G , G T , e , g 1 , g 1 α U 2 , U 3 , g 1 s V 2 , W 2 ) ,
T 1 = e ( g 1 , g 1 ) α s , T 2 G T .
For an adversary B , we define the advantage as follows:
Adv B A 3 ( k ) = | P r [ B ( D , T 1 ) = 1 ] P r [ B ( D , T 2 ) = 1 ] | .
Definition 3.
We say that a group generator G satisfies Assumption 3 if for all polynomial time adversaries B , we have that Adv B A 3 ( k ) is negligible.

2.3. Hierarchical Identity-Based Encryption

An HIBE scheme is defined as the following five algorithms:
  • GlobalSetup ( 1 k ): On input 1 k where k is a security parameter, it returns the public parameters P K and a master secret key M S K .
  • KeyGen ( M S K , I D = ( I D 1 , , I D j ) ): On input M S K and an identity I D = ( I D 1 , , I D j ) of depth j, it returns a private key S K of I D = ( I D 1 , , I D j ) .
  • Delegate ( P K , S K I D = ( I D 1 , , I D j ) , I D j + 1 ) : On input P K , a private key for I D = ( I D 1 , , I D j ) , and an identity I D j + 1 , it returns a private key for I D =( I D 1 , , I D j + 1 ).
  • Encrypt ( P K , M , ( I D 1 , , I D j ) ): On input message M, P K , and identity ( I D 1 , , I D j ) , it returns a ciphertext C.
  • Decrypt ( S K I D = ( I D 1 , , I D j ) , C ) : On input S K I D = ( I D 1 , , I D j ) and C, it returns the message M.

2.4. Security Definition

The security of HIBE [34] is defined in term of the following game between a challenger C and an adversary A .
Setup: The challenger C runs the GlobalSetup algorithm and obtains the public parameters. C also maintains a set S for private keys it has created. Initially, S = . C gives the public parameters to A .
Phase 1: A issues the following queries:
  • Create: The identity vector I D = ( I D 1 , , I D j ) of depth j is given to C by A . C runs the KeyGen algorithm to generate the key for this identity vector. The key is then added in the set S. A reference of this key is returned to A .
  • Delegate: A specifies a private key S K I D in S and gives an identity I D j + 1 to C . C runs the Delegate algorithm to generate a new private key for I D =( I D 1 , , I D j + 1 ) and adds this key to S. It returns a reference of this key to A .
  • Reveal: A specifies an element of the set S. C gives this private key to A and removes it from S. At this point, A no longer needs to make delegation queries for this private key, as it can run the Delegate algorithm by itself.
Challenge: A gives two equal-length messages M 0 and M 1 , as well as a challenge identity I D to C . The restriction is that no revealed identity in Phase 1 is a prefix of this challenge identity. C flips a coin β { 0 , 1 } and encrypts M β under I D . It gives the resulting ciphertext C to A .
Phase 2: This phase is identical to Phase 1 with the restriction that any revealed identity must not be a prefix of the challenge identity I D .
Guess. A outputs a guess β { 0 , 1 } .
If β = β , then A wins the game. We define the advantage of an adversary A in this game to be:
Adv A H I B E ( k ) = P r [ β = β ] 1 2 .
Definition 4.
A hierarchical identity-based encryption scheme is secure if all polynomial time adversaries have at most a negligible advantage in the above security game.

3. Our Improved HIBE System

Our improved HIBE system achieves short parameters with a constant size of ciphertext, private key, and public parameter. The idea of the HIBE construction is to tweak the original Lewko and Waters HIBE system [7] by reducing the parameters without sacrificing its security. We find out that the aim of adding u i G q 1 to the original HIBE [7] is to make the key random in key delegation. We replace u i G q 1 with u 1 G q 1 , and the randomness is still the same as the original HIBE where the key K 1 , K 2 , E has a random r Z N in the exponent. Therefore, even when we take out u i G q 1 , the key remains fully randomized, and thus, our improved HIBE system also achieves full security.

3.1. Construction

Suppose G and G T denote bilinear groups of order N = q 1 q 2 q 3 , where q 1 , q 2 , q 3 are distinct primes. Let G q i be the subgroup of order q i in G and e : G × G G T be the bilinear map. The HIBE system is constructed as follows.
  • GlobalSetup ( 1 k ): Let k be the security parameter, g 1 , h 1 , u 1 G q 1 , U 3 G q 3 , and α Z N . The public parameters P K and master secret key M S K are generated as:
    P K = { N , g 1 , h 1 , u 1 , U 3 , e ( g 1 , g 1 ) α } , M S K = α .
  • KeyGen ( M S K , I D = ( I D 1 , , I D j ) ): The key generation algorithm first selects a random r Z N and random elements R 3 , R 3 , R 3 of G q 3 . It then generates the private key for an identity I D = ( I D 1 , , I D j ) of depth j by computing:
    K 1 = g 1 r R 3 , K 2 = g 1 α ( u 1 I D 1 + + I D j h 1 ) r R 3 , E = u 1 r R 3 .
    It outputs the private key as S K = ( K 1 , K 2 , E ) .
  • Delegate ( P K , S K I D = ( I D 1 , , I D j ) , I D j + 1 ) : Given a private key S K = ( K 1 , K 2 , E ) for ( I D 1 , , I D j ), a new key for ( I D 1 , , I D j + 1 ) is created as follows. The delegation algorithm selects a random r Z N and random elements R ˜ 3 , R ˜ 3 , R ˜ 3 G q 3 . The new key is computed as: K 1 = K 1 g 1 r R ˜ 3 , K 2 = K 2 ( u 1 I D 1 + + I D j h 1 ) r ( E ) I D j + 1 u 1 r I D j + 1 R ˜ 3 , E = E u 1 r R ˜ 3 . It outputs the private key for I D = ( I D 1 , , I D j , I D j + 1 ) as S K = ( K 1 , K 2 , E ) . We fully rerandomize this new key, i.e., the new key is only related to the values I D 1 , , I D j of the previous key.
  • Encrypt ( P K , M , ( I D 1 , , I D j ) ): To encrypt a message M under the public key ( I D 1 , , I D j ) , the encryption algorithm selects a random s Z N . It computes:
    C 0 = M · e ( g 1 , g 1 ) α s , C 1 = ( u 1 I D 1 + + I D j h 1 ) s , C 2 = g 1 s .
  • Decrypt ( S K I D = ( I D 1 , , I D j ) , C ) : Given an identity ( I D 1 , , I D j ) and a ciphertext C = ( C 0 , C 1 , C 2 ) , it decrypts the ciphertext with the private key S K I D = ( K 1 , K 2 , E ) by first computing:
    A = e ( K 2 , C 2 ) e ( K 1 , C 1 ) = e ( g 1 α ( u 1 I D 1 + + I D j h 1 ) r R 3 , g 1 s ) e ( g 1 r R 3 , ( u 1 I D 1 + + I D j h 1 ) s ) = e ( g 1 , g 1 ) α s · e ( u 1 I D 1 + + I D j h 1 , g 1 ) r s · e ( R 3 , g 1 s ) e ( g 1 , u 1 I D 1 + + I D j h 1 ) r s · e ( R 3 , ( u 1 I D 1 + + I D j h 1 ) s ) = e ( g 1 , g 1 ) α s
    Based on the orthogonality property, we have e ( R 3 , g 1 s ) = 1 and e ( R 3 , ( u 1 I D 1 + + I D j h 1 ) s ) = 1 .
    The message is then recovered by computing:
    C 0 / A = M

3.2. Semi-Functional Algorithms

The security of our HIBE system is proven by using the dual system encryption [7,19] methodology. With this proof technique, it is required to define an additional ciphertext and key, namely a semi-functional ciphertext and key. We only use them in the security proof of the HIBE system, but not in the real system.
We denote g 2 as a generator of G q 2 . The semi-functional key is created based on the normal private key ( K 1 , K 2 , E ) that was generated by the key generation algorithm. We then select exponents γ , z k , z R Z N and generate the semi-functional key as:
K 1 = K 1 · g 2 γ , K 2 = K 2 · g 2 γ z k , E = E · g 2 γ z .
The semi-functional ciphertext is created based on the normal ciphertext ( C 0 , C 1 , C 2 ) generated by the encryption algorithm. We then select exponents x , z c R Z N and generate the semi-functional ciphertext as:
C 0 = C 0 , C 1 = C 1 · g 2 x z c , C 2 = C 2 · g 2 x .
The decryption of a semi-functional ciphertext under a semi-functional key is computed by multiplying the blinding factor with e ( g 2 , g 2 ) x γ ( z k z c ) . We will obtain a correct decryption if z c = z k .

4. Security Analysis

The security proof of our HIBE system is shown with a sequence of games from Game Real Game Final that are played between an adversary A and a challenger C . We will show that no polynomial-time adversary A can distinguish one game from the next under a complexity assumption.
Game Real : The first game is the usual security game used for defining HIBE security. In this game, normal private keys and the challenge ciphertext are used between A and C .
Game Real : This game is the same as Game Real with the exception that all key queries will be answered by fresh calls to the key generation algorithm (the challenger C will not be asked to delegate keys in a particular way).
Game Restricted : This game is almost identical to Game Real except that the adversary A is restricted from making key queries for identities, which are prefixes of the challenge identity modulo q 2 .
Game k : Game k is similar to Game Restricted , except the following changes: 1. The first k keys are semi-functional for k from 0–w, where w denotes the number of key queries made by A . The rest of the keys are normal. 2. The ciphertext given to A is semi-functional. In Game 0 , all of the keys are normal. and a semi-functional challenge ciphertext is given to A . In Game w , all the keys and challenge ciphertext given to A are semi-functional.
Game Final : This game is the same as Game w , except that the challenger gives a semi-functional encryption of a random message to A as the challenge ciphertext. The random message is independent of the messages provided by A .
Lemma 1.
For any adversary A , Adv A G a m e R e a l = Adv A G a m e R e a l .
Proof. 
Keys that are returned to A ’s queries are identically distributed whether they are generated by the Delegate algorithm from a previous key or from a fresh call to the KeyGen algorithm. A ’s view in Game Real is identical to its view in Game Real .  □
Lemma 2.
Suppose there exists an adversary A such that Adv A G a m e R e a l Adv A G a m e R e s t r i c t e d = ϵ . Then, we can build an algorithm B with advantage Adv B A 2 ϵ 2 in breaking Assumption 2.
Proof. 
Suppose A has a probability ϵ of producing identities I D and I D such that I D I D modulo N and q 2 divides I D I D . B can then determine a nontrivial factor of N by computing a = g c d ( I D I D , N ) . Let b = N a . We consider the following three cases:
  • one of a , b is q 1 , and the other is q 2 q 3 ;
  • one of a , b is q 2 , and the other is q 1 q 3 ;
  • one of a , b is q 3 , and the other is q 1 q 2 .
Given D = ( N , G , G T , e , g 1 , U 1 U 2 , U 3 , V 2 V 3 ) and T, where T G or T G q 1 q 3 , B can simulate the security games with A and determine which of the above cases has occurred as follows:
  • Case 1: B first tests whether ( V 2 V 3 ) a = 1 or ( V 2 V 3 ) b = 1 . If either one of these equalities holds, then Case 1 occurs. B subsequently tests whether e ( T a , U 1 U 2 ) = 1 (we assume without loss of generality that a = q 1 and b = q 2 q 3 ). If the equality holds, B determines that T G q 1 q 3 . Otherwise, T G .
  • Case 2: B first tests whether ( U 1 U 2 ) a = 1 or ( U 1 U 2 ) b = 1 . If neither of these holds and the test for Case 1 fails, then Case 2 occurs. Next, B can determine which of a, b is equal to q 1 q 3 by testing which of g 1 a , g 1 b is the identity. Without loss of generality, we assume that a = q 2 and b = q 1 q 3 . B subsequently tests whether T b = 1 . If the equality holds, B determines that T G q 1 q 3 . Otherwise, T G .
  • Case 3: If the tests for Cases 1 and 2 fail, then Case 3 occurs. B can then determine which of a, b is equal to q 3 by testing which of U 3 a , U 3 b is the identity. We assume without loss of generality that a = q 3 . B subsequently tests whether e ( T a , V 2 V 3 ) = 1 . If the equality holds, B determines that T G q 1 q 3 . Otherwise, T G .
  □
Lemma 3.
Suppose there exists an adversary A such that Adv A G a m e R e s t r i c t e d Adv A G a m e 0 = ϵ . Then, we can build an algorithm B with advantage Adv B A 1 = ϵ in breaking Assumption 1.
Proof. 
Given D = ( N , G , G T , e , g 1 , U 3 ) and T, where T G q 1 q 2 or T G q 1 , Game Restricted or Game 0 is simulated as follows. B first selects random exponents α , a , b Z N . It then sets g 1 = g 1 , u 1 = g 1 a , h 1 = g 1 b . B keeps the master secret key M S K = α . It sends the public parameters P K = { N , g 1 , h 1 , u 1 , e ( g 1 , g 1 ) α } to A .
A ’s queries for the private key of identity I D = ( I D 1 , , I D j ) are answered by B as follows: B selects random exponents r , t , v and w Z N and sets:
K 1 = g 1 r U 3 t , K 2 = g 1 α ( u 1 I D 1 + + I D j h 1 ) r U 3 w , E = u 1 r U 3 v
At some point, B receives a challenge identity I D = ( I D 1 , , I D j ) and two messages M 0 , M 1 from A . B chooses a random β { 0 , 1 } and returns the challenge ciphertext as follows:
C 0 = M β · e ( T , g 1 ) α , C 1 = T a ( I D 1 + + I D j ) + b , C 2 = T .
If T G q 1 q 2 , the simulated semi-functional ciphertexts C 0 , C 1 , C 2 could match the primary semi-functional ciphertexts as follows:
C 0 = M β · e ( g 1 s g 2 x , g 1 ) α = M β · e ( g 1 , g 1 ) α s
C 1 = T ( a ( I D 1 + + I D j ) + b ) = ( g 1 s g 2 x ) ( a ( I D 1 + + I D j ) + b ) = g 1 s ( a ( I D 1 + + I D j ) + b ) g 2 x ( a ( I D 1 + + I D j ) + b ) = ( u 1 ( I D 1 + + I D j ) h 1 ) s g 2 x z c
C 2 = g 1 s g 2 x
The ciphertext ( C 0 , C 1 , C 2 ) is semi-functional with T implicitly set as g 1 s g 2 x and z c = a ( I D 1 + + I D j ) + b in Game 0 . This is properly distributed as z c mod q 2 is not correlated with a mod q 1 and b mod q 1 . If T G q 1 , then the ciphertext ( C 0 , C 1 , C 2 ) is normal in Game Restricted with T implicitly set as g 1 s . Therefore, these possibilities for T can be distinguished by B using the output of A .  □
Lemma 4.
Suppose there exists an adversary A such that Adv A G a m e k 1 Adv A G a m e k = ϵ . Then, we can build an algorithm B with advantage Adv B A 2 = ϵ in breaking Assumption 2.
Proof. 
Given D = ( N , G , G T , e , g 1 , U 1 U 2 , U 3 , V 2 V 3 ) and T, where T G or T G q 1 q 3 , Game k 1 or Game k is simulated as follows. B selects random exponents α , a , b Z N and sets g 1 = g 1 , u 1 = g 1 a , h 1 = g 1 b . B sends the public parameters P K = { N , g 1 , h 1 , u 1 , e ( g 1 , g 1 ) α } to A and keeps the master secret key M S K = α .
B answers A ’s i th key query for identity ( I D 1 , , I D j ) as follows:
  • For i < k , B selects random exponents r , z , t , v Z N first and then creates a semi-functional key as: K 1 = g 1 r ( V 2 V 3 ) t , K 2 = g 1 α ( u 1 I D 1 + + I D j h 1 ) r ( V 2 V 3 ) z , E = u 1 r ( V 2 V 3 ) v .
    The semi-functional key is properly distributed with g 2 γ = V 2 t . We note that values of t and zmodulo q 1 and modulo q 3 are uncorrelated by the Chinese remainder theorem.
  • For i > k , B runs the KeyGen algorithm to generate a normal key.
  • For i = k , B sets z k = a ( I D 1 + + I D j ) + b first and then creates the following key by choosing random exponents w k , w Z N :
    K 1 = T , K 2 = g 1 α T z k U 3 w k , E = T a U 3 w .
    If T G q 1 q 3 , it means that T is implicitly set as g 1 r R 3 and the key is normal. If T G , it means that T is implicitly set as g 1 r g 2 γ R 3 and we have a semi-functional key.
At some point, B receives a challenge identity I D = ( I D 1 , , I D j ) and two messages M 0 , M 1 from A . B chooses a random β { 0 , 1 } and returns the challenge ciphertext as follows: C 0 = M β · e ( U 1 U 2 , g 1 ) α , C 1 = ( U 1 U 2 ) a ( I D 1 + + I D j ) + b , C 2 = U 1 U 2 .
This means that g 1 s = U 1 and z c = a ( I D 1 + + I D j ) + b are implicitly set in the challenge ciphertext. Since I D k is not a prefix of the challenge I D mod q 2 , z k and z c are independent and randomly distributed.
If B generates a semi-functional ciphertext for I D k and attempts to test whether the k th key is semi-functional by trying the decryption, then we will have z c = z k , which makes the decryption always work regardless.
If T G q 1 q 3 , then B has properly simulated Game k 1 . If T G , then B has properly simulated Game k . Therefore, these possibilities for T can be distinguished by B using the output of A .  □
Lemma 5.
Suppose there exists an adversary A such that Adv A G a m e w Adv A G a m e F i n a l = ϵ . Then, we can build an algorithm B with advantage Adv B A 3 = ϵ in breaking Assumption 3.
Proof. 
Given D = ( N , G , G T , e , g 1 , g 1 α , U 2 , U 3 , g 1 s V 2 , W 2 ) and T, where T = e ( g 1 , g 1 ) α s or T is a random element of G T , B simulates Game w or Game Final with A as follows. It chooses random exponents a , b Z N and sets g 1 = g 1 , u 1 = g 1 a , h 1 = g 1 b , e ( g 1 , g 1 ) α = e ( g 1 α U 2 , g 1 ) . B sends the public parameters P K = { N , g 1 , h 1 , u 1 , e ( g 1 , g 1 ) α } to A .
A ’s queries for the private key of identity I D = ( I D 1 , , I D j ) are answered by B as follows: B randomly selects exponents c , r , t , w , z Z N , and sets a semi-functional key as: K 1 = g 1 r W 2 U 3 t , K 2 = g 1 α ( u 1 I D 1 + + I D j h 1 ) r W 2 a ( I D 1 + + I D j ) + b U 3 w , E = u 1 r W 2 z U 3 c .
This means that it implicitly sets W 2 = g 2 γ , z k = a ( I D 1 + + I D j ) + b . At some point, B receives a challenge identity I D = ( I D 1 , , I D j ) and two messages M 0 , M 1 from A . B chooses a random β { 0 , 1 } and returns the challenge ciphertext as follows:
C 0 = M β T , C 1 = ( g 1 s V 2 ) a ( I D 1 + + I D j ) + b , C 2 = g 1 s V 2 .
This implicitly sets z c = a ( I D 1 + + I D j ) + b . We note that u 1 = g 1 a and h 1 = g 1 b are elements of G q 1 , so when a and b are randomly chosen from Z N , the values of a mod q 1 and b mod q 1 and the value z c = a ( I D 1 + + I D j ) + b mod q 2 are random and independent.
If T = e ( g 1 , g 1 ) α s , then we have a properly-distributed semi-functional ciphertext ( C 0 , C 1 , C 2 ) under the message M β in Game w . If T is a random element of G T , then we have a semi-functional ciphertext ( C 0 , C 1 , C 2 ) under a random message in Game Final . Therefore, these possibilities for T can be distinguished by B using the output of A .  □
Theorem 1.
If Assumptions 1–3 hold, then the proposed HIBE system is secure.
Proof. 
If Assumptions 1–3 hold, then we have shown by the previous lemmas that the real security game is indistinguishable from Game Final , in which the value of B is information-theoretically hidden from the adversary. Hence, the adversary can obtain no advantage in breaking the HIBE system.  □

5. Performance Comparison

We provide a performance comparison of our improved HIBE system with other HIBE systems proposed in [7,19,22,25]. The efficiency comparison is summarized in Table 1. Let n be the maximum depth of the HIBE and d be the depth of identity vector. “ P K size”, “ S K size”, and “ C T size” denote the length of public parameters, private key, and ciphertext, respectively. We use P, E, and E T to represent the computational cost of a bilinear pairing, a G -exponentiation, and a G T -exponentiation operation respectively for the KeyGen, Encrypt, and Decrypt algorithms.
The public parameters size of [19] contains ( 2 n + 13 ) group elements. The private key size of [19] is O ( d ) . The public parameters and private key of [7] contain ( n + 3 ) and ( n d + 2 ) group elements, respectively. The public parameters size of [25] is ( 2 b n + 3 ) | G | + 1 | Z p | , where b is the bit length of an identity. However, the private key size of [25] is O ( 1 ) . In [22], the public parameters size is O ( n ) and the private key contains 6 ( n d ) + 12 group elements. In contrast, our improved HIBE system only requires constant-size public parameters and private key (i.e., independent of the depth of the hierarchy). In particular, public parameters and private key in our HIBE system contain only four and three group elements, respectively. All the HIBE systems in this comparison have constant-size ciphertext except [19] with O ( d ) of ciphertext size.
All of the three computational costs for [19] grow linearly with the depth of the identity vector. The computational costs of the Decrypt algorithm for [7,22,25] and our improved HIBE systems are all independent of the hierarchy depth. However, our improved HIBE system achieves better computation efficiency for the KeyGen and Encrypt algorithms as they are independent of the depth of the hierarchy and identity vector, respectively.
We implemented our improved HIBE system on a Windows 10 PC with a CPU of Intel Core i7-7700 (3.60 GHz) and memory of 16GB. We ran the KeyGen and Encrypt algorithms for different hierarchy depths ( n = 1 , 5 , 10 , , 50 ) and recorded the run time as shown in Table 2 and Table 3, respectively. As shown in Figure 2 and Figure 3, the run times of the KeyGen and Encrypt algorithms for our improved HIBE system were much faster than the original HIBE system in [7].

6. Conclusions and Future Work

Deploying efficient data protection mechanisms are the main challenges for a complex and heterogeneous Internet of Things infrastructure. We proposed an efficient HIBE system with short parameters where the public parameters, private key, and ciphertext are all independent of the hierarchy or identity depth. We proved the security of the improved system using the dual-system encryption technique. This is the only HIBE system simultaneously achieving full security in the standard model and providing O ( 1 ) -sized public parameters, private key, and ciphertext. Our improved HIBE construction is based on composite order groups. In general, an HIBE construction in prime order groups can achieve similar security levels with a smaller size of group elements. This may result in shorter ciphertexts, and the decryption is more efficient as compared to an HIBE system constructed over composite order groups [23]. Therefore, it would be interesting to explore the construction of an HIBE system based on prime order groups that can achieve all these properties simultaneously.

Author Contributions

Writing, original draft preparation, L.G. and J.W.; writing, review and editing, W.-C.Y.

Funding

Lifeng Guo was supported by National Science Foundation of China (Grant No. 61202365), Project for Returned Overseas of Shanxi Province (2015-015), Natural Science Foundation of Shanxi Province, China (Grant No. 201701D12052), and National Natural Science Foundation of China (Grant No. 61872226).

Conflicts of Interest

The authors declare no conflict of interest. The funders had no role in the design of the study; in the collection, analyses, or interpretation of data; in the writing of the manuscript; nor in the decision to publish the results.

References

  1. Shamir, A. Identity-Based Cryptosystems and Signature Schemes. In Advances in Cryptology; Springer: Berlin/Heidelberg, Germany, 1984; pp. 47–53. [Google Scholar]
  2. Boneh, D.; Franklin, M. Identity-Based Encryption from the Weil Pairing. In Advances in Cryptology-CRYPTO 2001; Springer: Berlin/Heidelberg, Germany, 2001; pp. 213–229. [Google Scholar] [Green Version]
  3. Boneh, D.; Boyen, X. Secure Identity Based Encryption Without Random Oracles. In Advances in Cryptology—CRYPTO 2004; Springer: Berlin/Heidelberg, Germany, 2004; pp. 443–459. [Google Scholar] [Green Version]
  4. Gentry, C. Practical Identity-Based Encryption Without Random Oracles. In Advances in Cryptology—EUROCRYPT 2006; Springer: Berlin/Heidelberg, Germany, 2006; pp. 445–464. [Google Scholar] [Green Version]
  5. Waters, B. Efficient Identity-Based Encryption Without Random Oracles. In Advances in Cryptology—EUROCRYPT 2005; Springer: Berlin/Heidelberg, Germany, 2005; pp. 114–127. [Google Scholar] [Green Version]
  6. Horwitz, J.; Lynn, B. Towards Hierarchical Identity-Based Encryption. In Advances in Cryptology—EUROCRYPT 2002; Springer: Berlin/Heidelberg, Germany, 2002; pp. 466–481. [Google Scholar]
  7. Lewko, A.; Waters, B. New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts. In Theory of Cryptography—TCC2010; Springer: Berlin/Heidelberg, Germany, 2010; pp. 455–479. [Google Scholar] [Green Version]
  8. Daniel, R.M.; Rajsingh, E.B.; Silas, S. Analysis of Hierarchical Identity Based Encryption Schemes and Its Applicability to Computing Environments. J. Inf. Secur. Appl. 2017, 36, 20–31. [Google Scholar] [CrossRef]
  9. Li, Y.; Wang, Y.; Zhang, Y. SecHome: A Secure Large-Scale Smart Home System Using Hierarchical Identity Based Encryption. In Information and Communications Security; Springer: Cham, Switzerland, 2018; pp. 339–351. [Google Scholar]
  10. Sha, K.; Wei, W.; Yang, T.A.; Wang, Z.; Shi, W. On Security Challenges and Open Issues in Internet of Things. Future Gener. Comput. Syst. 2018, 83, 326–337. [Google Scholar] [CrossRef]
  11. Trnka, M.; Cerny, T.; Stickney, N. Survey of Authentication and Authorization for the Internet of Things. Secur. Commun. Netw. 2018, 2018, 4351603. [Google Scholar] [CrossRef]
  12. Yu, F.R.; Tang, H.; Mason, P.C.; Wang, F. A Hierarchical Identity Based Key Management Scheme in Tactical Mobile Ad Hoc Networks. IEEE Trans. Netw. Serv. Manag. 2010, 7, 258–267. [Google Scholar] [CrossRef]
  13. Ning, H.; Liu, H.; Yang, L.T. Aggregated-Proof Based Hierarchical Authentication Scheme for the Internet of Things. IEEE Trans. Parallel Distrib. Syst. 2015, 26, 657–667. [Google Scholar] [CrossRef]
  14. Yang, L.T.; Liu, H.; Ning, H. Cyberentity Security in the Internet of Things. Computer 2013, 46, 46–53. [Google Scholar]
  15. Gentry, C.; Silverberg, A. Hierarchical ID-Based Cryptography. In Advances in Cryptology—ASIACRYPT 2002; Springer: Berlin/Heidelberg, Germany, 2002; pp. 548–566. [Google Scholar]
  16. Boneh, D.; Boyen, X. Efficient Selective-ID Secure Identity-Based Encryption Without Random Oracles. In Advances in Cryptology—EUROCRYPT 2004; Springer: Berlin/Heidelberg, Germany, 2004; pp. 223–238. [Google Scholar] [Green Version]
  17. Chatterjee, S.; Sarkar, P. HIBE With Short Public Parameters Without Random Oracle. In Advances in Cryptology—ASIACRYPT 2006; Springer: Berlin/Heidelberg, Germany, 2006; pp. 145–160. [Google Scholar]
  18. Sarkar, P.; Chatterjee, S. Construction of a Hybrid HIBE Protocol Secure against Adaptive Attacks: without Random Oracle. In First International Conference on Provable Security—ProvSec 2007; Springer: Berlin/Heidelberg, Germany, 2007; pp. 51–67. [Google Scholar]
  19. Waters, B. Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions. In Advances in Cryptology—CRYPTO 2009; Springer: Berlin/Heidelberg, Germany, 2009; pp. 619–636. [Google Scholar] [Green Version]
  20. De Caro, A.; Iovino, V.; Persiano, G. Fully Secure Anonymous HIBE and Secret-Key Anonymous IBE with Short Ciphertexts. In Pairing-Based Cryptography—Pairing 2010; Springer: Berlin/Heidelberg, Germany, 2010; pp. 347–366. [Google Scholar]
  21. Chen, J.; Wee, H. Dual System Groups and its Applications—Compact HIBE and More. 2014. Available online: https://eprint.iacr.org/2014/265.pdf (accessed on 18 June 2019).
  22. Lee, K.; Park, J.H.; Lee, D.H. Anonymous HIBE with Short Ciphertexts: Full Security in Prime Order Groups. Designs Codes Cryptogr. 2015, 74, 395–425. [Google Scholar] [CrossRef]
  23. Park, J.H.; Lee, D.H. Anonymous HIBE: Compact Construction Over Prime-Order Groups. IEEE Trans. Inf. Theory 2013, 59, 2531–2541. [Google Scholar] [CrossRef]
  24. Zhang, L.; Mu, Y.; Wu, Q. Compact Anonymous Hierarchical Identity-Based Encryption with Constant Size Private Keys. Comput. J. 2016, 59, 452–461. [Google Scholar] [CrossRef]
  25. Hu, X.; Wang, J.; Xu, H.; Yang, Y. Constant Size Ciphertext and Private Key HIBE without Random Oracles. J. Inf. Sci. Eng. 2014, 30, 333–345. [Google Scholar]
  26. Seo, J.H.; Emura, K. Revocable Hierarchical Identity-based Encryption. Theor. Comput. Sci. 2014, 542, 44–62. [Google Scholar] [CrossRef]
  27. Jia, H.; Chen, Y.; Lan, J.; Huang, K.; Wang, J. Efficient Revocable Hierarchical Identity-Based Encryption using Cryptographic Accumulators. Int. J. Inf. Secur. 2018, 17, 477–490. [Google Scholar] [CrossRef]
  28. Lee, K.; Park, S. Revocable Hierarchical Identity-Based Encryption with Shorter Private Keys and Update Keys. Designs Codes Cryptogr. 2018, 86, 2407–2440. [Google Scholar] [CrossRef]
  29. Park, S.; Lee, D.H.; Lee, K. Revocable Hierarchical Identity-Based Encryption from Multilinear Maps. arXiv 2016, arXiv:1610.07948. [Google Scholar]
  30. Wang, C.; Li, Y.; Jiang, S.; Wu, J. An Efficient Adaptive-ID Secure Revocable Hierarchical Identity-Based Encryption Scheme. In Proceedings of the International Conference on Smart Computing and Communication (SmartCom 2016), Shenzhen, China, 17–19 December 2019; pp. 506–515. [Google Scholar]
  31. Xing, Q.; Wang, B.; Wang, X.; Chen, P. Unbounded Revocable Hierarchical Identity-Based Encryption with Adaptive-ID Security. In Proceedings of the IEEE 18th International Conference on High Performance Computing and Communications, Sydney, Austrilia, 12–14 Decmber 2016; pp. 430–437. [Google Scholar]
  32. Xing, Q.; Wang, B.; Wang, X.; Tao, J. Unbounded and Revocable Hierarchical Identity-Based Encryption with Adaptive Security, Decryption Key Exposure Resistant, and Short Public Parameters. PLoS ONE 2018, 13, e0195204. [Google Scholar] [CrossRef] [PubMed]
  33. Boneh, D.; Goh, E.-J.; Nissim, K. Evaluating 2-DNF Formulas on Ciphertexts. In Theory of Cryptography—TCC2005; Springer: Berlin/Heidelberg, Germany, 2005; pp. 325–341. [Google Scholar] [Green Version]
  34. Shi, E.; Waters, B. Delegating Capabilities in Predicate Encryption Systems. In Automata, Languages and Programming—ICALP2008; Springer: Berlin/Heidelberg, Germany, 2008; pp. 560–578. [Google Scholar] [Green Version]
Figure 1. Hierarchical Identity-Based Encryption (HIBE) application scenario. NDC, National Data Center; LDC, Local Data Center; IDC, Industry Data Center; UDC, Unit Data Center; PKG, Private Key Generator.
Figure 1. Hierarchical Identity-Based Encryption (HIBE) application scenario. NDC, National Data Center; LDC, Local Data Center; IDC, Industry Data Center; UDC, Unit Data Center; PKG, Private Key Generator.
Symmetry 11 00913 g001
Figure 2. Run time of the KeyGen algorithm for [7] and our improved HIBE system.
Figure 2. Run time of the KeyGen algorithm for [7] and our improved HIBE system.
Symmetry 11 00913 g002
Figure 3. Run time of the Encrypt algorithm for [7] and our improved HIBE system.
Figure 3. Run time of the Encrypt algorithm for [7] and our improved HIBE system.
Symmetry 11 00913 g003
Table 1. Efficiency comparison between existing and our improved HIBE system.
Table 1. Efficiency comparison between existing and our improved HIBE system.
Scheme P K Size S K Size C T SizeKeyGenEncryptDecrypt
[19] O ( n ) O ( d ) O ( d ) ( 4 d + 11 ) E ( 3 d + 11 ) E + 1 E T ( 2 d + 7 ) P
[7] O ( n ) O ( n d ) O ( 1 ) ( n + 3 ) E ( d + 2 ) E + 1 E T 2 P
[25] O ( b n ) O ( 1 ) O ( 1 ) ( 2 b d + 6 ) E ( 2 b d + 3 ) E + 2 E T 2 P + 1 E T
[22] O ( n ) O ( n d ) O ( 1 ) 8 n 6 d + 17 ( 3 d + 4 ) E + 1 E T 6 P
Ours O ( 1 ) O ( 1 ) O ( 1 ) 5 E 3 E + 1 E T 2 P
Table 2. The private key generation time of [7] and our improved HIBE system.
Table 2. The private key generation time of [7] and our improved HIBE system.
Depth[7] (s)Ours (s)
138.8512.444
5184.65312.122
10348.41323.886
15493.99336.009
20616.04447.865
25734.03459.715
30834.74472.646
35886.53485.998
40975.18898.309
451012.288108.427
501028.230125.729
Table 3. The encryption time of [7] and our improved HIBE system.
Table 3. The encryption time of [7] and our improved HIBE system.
Depth[7] (s)Ours (s)
10.8870.857
50.9490.840
101.0510.825
151.1320.839
201.2890.831
251.4270.828
301.5170.841
351.5360.852
401.6350.840
451.7550.842
501.8170.882

Share and Cite

MDPI and ACS Style

Guo, L.; Wang, J.; Yau, W.-C. Efficient Hierarchical Identity-Based Encryption System for Internet of Things Infrastructure. Symmetry 2019, 11, 913. https://doi.org/10.3390/sym11070913

AMA Style

Guo L, Wang J, Yau W-C. Efficient Hierarchical Identity-Based Encryption System for Internet of Things Infrastructure. Symmetry. 2019; 11(7):913. https://doi.org/10.3390/sym11070913

Chicago/Turabian Style

Guo, Lifeng, Jing Wang, and Wei-Chuen Yau. 2019. "Efficient Hierarchical Identity-Based Encryption System for Internet of Things Infrastructure" Symmetry 11, no. 7: 913. https://doi.org/10.3390/sym11070913

APA Style

Guo, L., Wang, J., & Yau, W. -C. (2019). Efficient Hierarchical Identity-Based Encryption System for Internet of Things Infrastructure. Symmetry, 11(7), 913. https://doi.org/10.3390/sym11070913

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop