Practical hybrid (hierarchical) identity-based encryption schemes based on the decisional bilinear Diffie-Hellman assumption

At Eurocrypt 2005, Waters proposed an efficient identity-based encryption (IBE) scheme and its extension to a hierarchical IBE (HIBE). We describe a (H)IBE scheme which improves upon Waters scheme by significantly reducing the size of the public parameters. The reduction is based on two ideas. The first idea involves partitioning n-bit identities into l-bit blocks while the second idea involves reusing public parameters over different levels of a HIBE. The basic HIBE scheme is CPA-secure and yields a (hierarchical identity-based) signature scheme. Modification of the basic HIBE scheme using ideas from the work of Boyen, Mei and Waters yields a CCA-secure hybrid HIBE scheme. Further, by appropriately using symmetric key authentication, we are able to eliminate costly pairing operations from the decryption algorithm. The protocols and the security arguments are recast in the most efficient pairing setting, i.e., the Type 3 setting. Using the asymmetric pairing setting leads to several variants of the basic protocol with associated trade-off in the ciphertext overhead and public parameter size. We also incorporate with a small improvement the probabilty analysis that was recently put forth by Bellare and Ristenpart to remove the need of “artificial abort” in the original security argument of Waters IBE. For 80-bit or 128-bit security levels, the variants of the (H)IBE schemes that we obtain are currently the most efficient and practical among all other schemes which achieve similar security under a static assumption such as the hardness of decisional bilinear Diffie-Hellman problem. The basic idea of reusing public parameters over different levels of the HIBE provides improvements to the construction of other cryptographic primitives such as signatures, wildcard identity-based encryption and certificateless encryption.