Hierarchical identity-based encryption and signature schemes
First Claim
1. A method of encoding and decoding a digital message between a sender and a recipient, wherein the recipient is n+1 levels below a root PKG in a hierarchical system including a plurality of PKGs, the plurality of PKGs including at least the root PKG and n lower-level PKGs in the hierarchy between the root PKG and the recipient, wherein n≧
- 1, the method comprising;
selecting a root key generation secret that is known only to the root PKG;
generating a root key generation parameter based on the root key generation secret;
selecting a lower-level key generation secret for each of the n lower-level PKGs, wherein each lower-level key generation secret is known only to its associated lower-level PKG;
generating a lower-level key generation parameter for each of the n lower-level PKGs, wherein each lower-level key generation parameter is generated using at least the lower-level key generation secret for its associated lower-level PKG;
encoding the message to form a ciphertext using at least the root key generation parameter and recipient identity information;
generating a recipient private key such that the recipient private key is related to at least the root key generation secret, one or more of the n lower-level key generation secrets associated with the n lower-level PKGs in the hierarchy between the root PKG and the recipient, and the recipient identity information; and
decoding the ciphertext to recover the message using at least the recipient private key.
2 Assignments
0 Petitions
Accused Products
Abstract
Methods are provided for encoding and decoding a digital message between a sender and a recipient in a system including a plurality of private key generators (“PKGs”). The PKGs include at least a root PKG and n lower-level PKG in the hierarchy between the root PKG and the recipient. A root key generation secret is selected and is known only to the root PKG. A root key generation parameter is generated based on the root key generation secret. A lower-level key generation secret is selected for each of the n lower-level PKGs, wherein each lower-level key generation secret is known only to its associated lower-level PKG. A lower-level key generation parameter also is generated for each of the n lower-level PKGs using at least the lower-level key generation secret for its associated lower-level private key generator. The message is encoded to form a ciphertext using at least the root key generation parameter and recipient identity information associated with the recipient. A recipient private key is generated such that the recipient private key is related to at least the root key generation secret, one or more of the n lower-level key generation secrets, and the recipient identity information. The ciphertext is decoded to recover the message using at least the recipient private key.
115 Citations
65 Claims
-
1. A method of encoding and decoding a digital message between a sender and a recipient, wherein the recipient is n+1 levels below a root PKG in a hierarchical system including a plurality of PKGs, the plurality of PKGs including at least the root PKG and n lower-level PKGs in the hierarchy between the root PKG and the recipient, wherein n≧
- 1, the method comprising;
selecting a root key generation secret that is known only to the root PKG;
generating a root key generation parameter based on the root key generation secret;
selecting a lower-level key generation secret for each of the n lower-level PKGs, wherein each lower-level key generation secret is known only to its associated lower-level PKG;
generating a lower-level key generation parameter for each of the n lower-level PKGs, wherein each lower-level key generation parameter is generated using at least the lower-level key generation secret for its associated lower-level PKG;
encoding the message to form a ciphertext using at least the root key generation parameter and recipient identity information;
generating a recipient private key such that the recipient private key is related to at least the root key generation secret, one or more of the n lower-level key generation secrets associated with the n lower-level PKGs in the hierarchy between the root PKG and the recipient, and the recipient identity information; and
decoding the ciphertext to recover the message using at least the recipient private key. - View Dependent Claims (2, 3, 4, 5)
- 1, the method comprising;
-
6. A method of encoding and decoding a message between a sender and a recipient in a system including a plurality of PKGs, the plurality of PKGs including m lower-level PKGs in the hierarchy between the root PKG and the sender, wherein m≧
- 1, and n lower-level PKGs in the hierarchy between the root PKG and the recipient, wherein n≧
1, wherein at least l of the plurality of PKGs in the hierarchy are common ancestors to both the sender and the recipient, wherein l≧
1, and wherein PKGl is a common ancestor PKG to both the sender and the recipient, the method further comprising;
selecting a root key generation secret that is known only to the root PKG;
generating a root key generation parameter based on the root key generation secret;
selecting a lower-level key generation secret for each of the m and n lower-level PKGs, wherein each lower-level key generation secret is known only to its associated lower-level PKG;
generating a lower-level key generation parameter for each of the m and n lower-level PKGs, wherein each lower-level key generation parameter is generated using at least the lower-level key generation secret for its associated lower-level PKG;
generating a sender private key such that the sender private key is related to at least sender identity information, the root key generation secret, and one or more of the m lower-level key generation secrets associated with the m PKGs between the root PKG and the sender;
generating a recipient private key such that is related to at least recipient identity information, the root key generation secret, and one or more of the n lower-level key generation secrets associated with the n lower-level PKGs in the hierarchy between the root PKG and the recipient;
encoding the message using at least the recipient identity information, the sender private key, and zero or more of the lower-level key generation parameters associated with the (m−
l+1) PKGs between the root PKG and the sender that are at or below the level of the common ancestor PKGl, but not any of the lower-level key generation parameters that are associated with the (l−
1) PKGs above the common ancestor PKGl; and
decoding the ciphertext using at least the recipient private key and zero or more of the lower-level key generation parameters associated with the (n−
l+1) PKGs between the root PKG and the recipient that are at or below the level of the lowest common ancestor PKGl, but not using any of the lower-level key generation parameters that are associated with the (l−
1) PKGs that above the common ancestor PKGl. - View Dependent Claims (7, 8, 9, 10, 11)
- 1, and n lower-level PKGs in the hierarchy between the root PKG and the recipient, wherein n≧
-
12. A method of generating and verifying a digital signature of a message between a sender and a recipient, wherein the sender is m+1 levels below a root PKG in a hierarchical system including a plurality of PKGs, the plurality of PKGs including at least the root PKG and m lower-level PKGs in the hierarchy between the root PKG and the sender, wherein m≧
- 1, the method comprising;
selecting a root key generation secret that is known only to the root PKG;
generating a root key generation parameter based on the root key generation secret;
generating a lower-level key generation secret for each of the m lower-level PKGs, wherein each lower-level key generation secret is known only to its associated lower-level PKG;
generating a lower-level key generation parameter for each of the m lower-level PKGs, wherein each lower-level key generation parameter is generated using at least the lower-level key generation secret for its associated lower-level PKG;
generating a sender private key for the sender such that the sender private key is related to at least sender identity information, the root key generation secret, and one or more of the m lower-level key generation secrets associated with the m lower-level PKGs in the hierarchy between the root PKG and the sender;
signing the message to generate the digital signature using at least the sender private key; and
verifying the digital signature using at least the root key generation parameter and the sender identity information. - View Dependent Claims (13)
- 1, the method comprising;
-
14. A method of generating a private key for an entity in a system including a plurality of PKGs, the plurality of PKGs including at least a root PKG and n lower-level PKGs in the hierarchy between the root PKG and the entity, wherein n≧
- 1, the method comprising;
generating a root key generation secret that is known only to the root PKG;
generating a root key generation parameter based on the root key generation secret;
generating a lower-level key generation secret for each of the n lower-level PKGs, wherein each lower-level key generation secret is known only to its associated lower-level PKG;
generating a lower-level key generation parameter for each of the n lower-level PKGs, wherein each lower-level key generation parameter is generated using at least the lower-level key generation secret for its associated lower-level PKG;
generating a private key for the entity such that the private key is related to at least identity information associated with the entity, the root key generation secret, and one or more of the n lower-level key generation secrets associated with the n lower-level PKGs in the hierarchy between the root PKG and the entity; and
providing the private key to the entity.
- 1, the method comprising;
-
15. A method of generating a private key for a recipient z in a system, wherein the recipient z is n+1 levels below a root PKG in the hierarchy, and wherein the recipient is associated with a recipient ID-tuple (IDz1, . . . , IDz(n+1)) that includes identity information IDz(n+1) associated with the recipient and identity information IDzi associated with each of n lower-level PKGs in the hierarchy between the root PKG and the recipient, the method comprising:
-
generating a first cyclic group G1 of elements and a second cyclic group G2 of elements;
selecting a function ê
capable of generating an element of the second cyclic group G2 from two elements of the first cyclic group G1;
selecting a root generator P0 of the first cyclic group G1;
selecting a random root key generation secret s0 associated with and known only to the root PKG;
generating a root key generation parameter Q0=s0P0;
selecting a function H1 capable of generating an element of the first cyclic group G1 from a first string of binary digits;
generating a public element Pzi for each of the n lower-level PKGs, wherein Pzi=H1(ID1, . . . , IDzi) for 1≦
i≦
n;
selecting a lower-level key generation secret szi for each of the n lower-level PKGs, wherein each lower-level key generation secret szi is known only to its associated lower-level PKG;
generating a lower-level secret element Szi for each of the n lower-level PKGs, wherein Szi=Sz(i−
1)+sz(i−
1)Pzi for 1≦
i≦
n, wherein sz0=s0, and wherein Sz0 is defined to be zero;
generating a lower-level key generation parameter Qzi for each of the n lower-level PKGs, wherein Qzi=sziP0 for 1≦
i≦
ngenerating a recipient public element Pz(n+1)=H1(IDz1, . . . , IDz(n+1)) associated with the recipient, wherein Pz(n+1) is an element of the first cyclic group G1; and
generating a recipient private key
associated with the recipient. - View Dependent Claims (16, 17, 18, 19)
-
-
20. A method of encoding and decoding a digital message M communicated between a sender and a recipient z, wherein the recipient z is n+1 levels below a root PKG in a hierarchical system, and wherein the recipient is associated with a recipient ID-tuple (IDz1, . . . , IDz(n+1)) that includes identity information IDz(n+1) associated with the recipient and identity information IDzi associated with each of n lower-level PKGs in the hierarchy between the root PKG and the recipient, the method comprising:
-
generating a first cyclic group G1 of elements and a second cyclic group G2 of elements;
selecting a function ê
capable of generating an element of the second cyclic group G2 from two elements of the first cyclic group G1;
selecting a root generator P0 of the first cyclic group G1;
selecting a random root key generation secret s0 associated with and known only to the root PKG;
generating a root key generation parameter Q0=s0P0;
selecting a first function H1 capable of generating an element of the first cyclic group G1 from a first string of binary digits;
selecting a second function H2 capable of generating a second string of binary digits from an element of the second cyclic group G2;
generating a public element Pzi for each of the n lower-level PKGs, wherein Pzi=H1(ID1, . . . , IDzi) for 1≦
i≦
n;
selecting a lower-level key generation secret szi for each of the n lower-level PKGs, wherein each lower-level key generation secret szi is known only to its associated lower-level PKG;
generating a lower-level secret element Szi for each of the n lower-level PKGs, wherein Szi=Sz(i−
1)+sz(i−
1)Pzi for 1≦
i≦
n, wherein sz0=s0, and wherein Sz0 is defined to be zero;
generating a lower-level key generation parameter Qzi for each of the n lower-level PKGs, wherein Qzi=sziP0 for 1≦
i≦
n;
generating a recipient public element Pz(n+1)=H1(IDz1, . . . , IDz(n+1)) associated with the recipient;
generating a recipient secret element
associated with the recipient;
encoding the message M to generate a ciphertext C using at least the recipient ID-tuple (ID1, . . . , IDzi) and the root key generation parameter Q0; and
decoding the ciphertext C to recover the message M using at least the recipient secret element Sz(n+1). - View Dependent Claims (21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
-
-
36. A method of encoding and decoding a digital message M between a sender y and a recipient z in a system including a plurality of PKGs, the plurality of PKGs including m lower-level PKGs in the hierarchy between the root PKG and the sender y, wherein m≧
- 1, and n lower level PKGs in the hierarchy between the root PKG and the recipient z, wherein n≧
1, wherein at least l of the PKGs in the hierarchy are common ancestors to both the sender y and the recipient z, wherein l≧
1, wherein PKGl is a common ancestor PKG to both the sender and the recipient, wherein the sender y is associated with a sender ID-tuple (IDy1, . . . , IDy(m+1)) that includes identity information IDy(m+1) associated with the sender y and identity information IDyi associated with each of m lower-level PKGs in the hierarchy between the root PKG and the sender y, and wherein the recipient is associated with a recipient ID-tuple (IDzl, . . . , IDz(n+1)) that includes identity information IDz(n+1) associated with the recipient and identity information IDzi associated with each of n lower-level PKGs in the hierarchy between the root PKG and the recipient, the method further comprising;
generating a first cyclic group G1 of elements and a second cyclic group G2 of elements;
selecting a function ê
capable of generating an element of the second cyclic group G2 from two elements of the first cyclic group G1;
selecting a root generator P0 of the first cyclic group G1;
selecting a random root key generation secret s0 associated with and known only to the root PKG;
generating a root key generation parameter Q0=s0P0;
selecting a first function H1 capable of generating an element of the first cyclic group G1 from a first string of binary digits;
selecting a second function H2 capable of generating a second string of binary digits from an element of the second cyclic group G2;
generating a public element Pyi for each of the m lower-level PKGs, wherein Pyi=H1(IDy1, . . . , IDyi) for 1≦
i≦
m, and wherein Pyi=Pzi for all i≦
l;
generating a public element Pzi for each of the n lower-level PKGs, wherein Pzi=H1(ID1, . . . , IDzi) for 1≦
i≦
n;
selecting a lower-level key generation secret syi for each of the m lower-level PKGs, wherein syi=szi for all i≦
l;
selecting a lower-level key generation secret szi for each of the n lower-level PKGs, wherein each lower-level key generation secret szi is known only to its associated lower-level PKG;
generating a lower-level secret element Syi for each of the m lower-level PKGs, wherein Syi=Sy(i−
1)+sy(i-1)Pyi for 1≦
i≦
m, and wherein Syi=Szi for all i≦
l;
generating a lower-level secret element Szi for each of the n lower-level PKGs, wherein Szi=Sz(i−
1)+sz(i−
)Pzi for 1≦
i≦
n, wherein sz0=s0, and wherein Sz0 is defined to be zero;
generating a lower-level key generation parameter Qyi for each of the m lower-level PKGs, wherein Qyi=syiP0 for 1≦
i≦
m, and wherein Qyi=Qzi for all i≦
l;
generating a lower-level key generation parameter Qzi for each of the n lower-level PKGs, wherein Qzi=sziP0 for 1≦
i≦
n;
generating a sender public element Py(m+1)=H1(IDy1, . . . , IDy(m+1)) associated with the sender y;
generating a recipient public element Pz(n+1)=H1(IDz1, . . . , IDz(n+1)) associated with the recipient;
generating a sender secret element
associated with the sender;
generating a recipient secret element
associated with the recipient;
encoding the message M to generate a ciphertext C using at least the lower-level key generation parameters Qyi for l<
i≦
m and the sender secret element Sy(m+1), but not using the lower-level key generation parameters Qyi for i<
l; and
decoding the ciphertext C to recover the message M using at least the lower-level key generation parameters Qzi for l<
i≦
n and the recipient secret element Sz(n+1), but not using the lower-level key generation parameters Qzi for i<
l. - View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
- 1, and n lower level PKGs in the hierarchy between the root PKG and the recipient z, wherein n≧
-
56. A method of generating and verifying a digital signature Sig of a digital message M communicated between a sender and a recipient, wherein the sender is m+1 levels below a root PKG in a hierarchical system, and wherein the sender is associated with a sender ID-tuple (IDy1, . . . , IDy(m+1)) that includes identity information IDy(m+1) associated with the sender and identity information IDyi associated with each of m lower-level PKGs in the hierarchy between the root PKG and the sender, the method comprising:
-
generating a first cyclic group G1 of elements and a second cyclic group G2 of elements;
selecting a bilinear, non-degenerate pairing ê
capable of generating an element of the second cyclic group G2 from two elements of the first cyclic group G1;
selecting a root generator P0 of the first cyclic group G1;
selecting a random root key generation secret s0 associated with and known only to the root PKG;
generating a root key generation parameter Q0=s0P0;
selecting a first function H1 capable of generating an element of the first cyclic group G1 from a first string of binary digits;
generating a public element Pyi for each of the m lower-level PKGs, wherein Pyi=H1(IDy1, . . . , IDyi) for 1≦
i≦
m;
selecting a lower-level key generation secret syi for each of the n lower-level PKGs, wherein each lower-level key generation secret syi is known only to its associated lower-level PKG;
generating a lower-level secret element Syi for each of the m lower-level PKGs, wherein Syi=Sy(i−
1)+Sy(i−
1)Pyi for 1≦
i≦
m,;
generating a lower-level key generation parameter Qyi for each of the m lower-level PKGs, wherein Qyi=SyiP0 for 1≦
i≦
m;
generating a sender public element Py(m+1)=H1(IDy1, . . . , IDy(m+1)) associated with the sender;
generating a sender secret element Sy(m+1)=Sym+symPy(m+1)=Σ
i=1m+1sy(i−
1)Pyi associated with the sender;
signing the message M to generate a digital signature Sig using at least the sender secret element Sy(m+1); and
verifying the digital signature Sig using at least the root key generation parameter Q0 and the lower-level key generation parameters Qyi. - View Dependent Claims (57, 58, 59, 60, 61, 62, 63, 64, 65)
-
Specification