@article{oai:ipsj.ixsq.nii.ac.jp:00009824,
 author = {Atsuko, Miyaji and Atsuko, Miyaji},
 issue = {9},
 journal = {情報処理学会論文誌},
 month = {Sep},
 note = {An ID-based encryption (IBE) is a public key cryptosystem  in which a user’s public key is given as a user ID. In IBE  only a single center generates all user secret keys  which may give the center a load of burdensome work. A hierarchical ID-based encryption (HIBE) is a kind of IBE and overcomes the problem by delegating a user secret key generation to a lower-level center  in which centers form a hierarchical structure. However  all ancestor nodes in HIBE act as centers. That is  any ancestor as well as the root can generate a secret key for any descendant node and  thus  a cipher text to a node can be decrypted by any ancestor node even if the ancestor does not have the same secret key as that of a target node. In this paper  we propose the concept of ancestor-excludable HIBE  in which ancestors with a level less than the designated one can be excluded from a set of privileged ancestors with a right to decrypt a cipher text to a target node. We also give the functional definition together with the security definition. This notion is denoted by AE-HIBE simply. We present the concrete example of AE-HIBE  which can work with constant-size ciphertext and decryption time  independent of the hierarchy level. We prove that our AE-HIBE is selective-ID-CPA secure in the standard model  which can be converted to be selective-ID-CCA secure by applying a general conversion method. Furthermore  AE-HIBE can be naturally applied to the broadcast encryption to realize the efficient public-key version with the user-key size of O(log2 N) and the transmission rate of O(r) for N users and r revoked users. The user-key size is the smallest at the transmission rate of O(r)  up to the present., An ID-based encryption (IBE) is a public key cryptosystem, in which a user’s public key is given as a user ID. In IBE, only a single center generates all user secret keys, which may give the center a load of burdensome work. A hierarchical ID-based encryption (HIBE) is a kind of IBE and overcomes the problem by delegating a user secret key generation to a lower-level center, in which centers form a hierarchical structure. However, all ancestor nodes in HIBE act as centers. That is, any ancestor as well as the root can generate a secret key for any descendant node and, thus, a cipher text to a node can be decrypted by any ancestor node even if the ancestor does not have the same secret key as that of a target node. In this paper, we propose the concept of ancestor-excludable HIBE, in which ancestors with a level less than the designated one can be excluded from a set of privileged ancestors with a right to decrypt a cipher text to a target node. We also give the functional definition together with the security definition. This notion is denoted by AE-HIBE simply. We present the concrete example of AE-HIBE, which can work with constant-size ciphertext and decryption time, independent of the hierarchy level. We prove that our AE-HIBE is selective-ID-CPA secure in the standard model, which can be converted to be selective-ID-CCA secure by applying a general conversion method. Furthermore, AE-HIBE can be naturally applied to the broadcast encryption to realize the efficient public-key version with the user-key size of O(log2 N) and the transmission rate of O(r) for N users and r revoked users. The user-key size is the smallest at the transmission rate of O(r), up to the present.},
 pages = {2999--3013},
 title = {Ancestor Excludable Hierarchical ID-based Encryption and Its Application to Broadcast Encryption},
 volume = {48},
 year = {2007}
}