Efficient (Anonymous) Compact HIBE from Standard Assumptions

We present two hierarchical identity-based encryption (HIBE) schemes, denoted as H1 and H2, from Type-3 pairings with constant sized ciphertexts. Scheme H1 achieves anonymity while H2 is non-anonymous. The constructions are obtained by extending the IBE scheme recently proposed by Jutla and Roy (Asiacrypt 2013). Security is based on the standard decisional Symmetric eXternal Diffie-Hellman (SXDH) assumption. In terms of provable security properties, previous direct constructions of constant-size ciphertext HIBE had one or more of the following drawbacks: security in the weaker model of selective-identity attacks; exponential security degradation in the depth of the HIBE; and use of non-standard assumptions. The security arguments for H1 and H2 avoid all of these drawbacks. These drawbacks can also be avoided by obtaining HIBE schemes by specialising schemes for hierarchical inner product encryption; the downside is that the resulting efficiencies are inferior to those of the schemes reported here. Currently, there is no known anonymous HIBE scheme having the security properties of H1 and comparable efficiency. An independent work by Chen and Wee describes a non-anonymous HIBE scheme with security claims and efficiency similar to that of H2; we note though that in comparison to H2, the Chen-Wee HIBE scheme has larger ciphertexts and less efficient encryption and decryption algorithms. Based on the current state-of-the-art, H1 and H2 are the schemes of choice for efficient implementation of (anonymous) HIBE constructions.