Unbounded and revocable hierarchical identity-based encryption with adaptive security, decryption key exposure resistant, and short public parameters

PLOS ONE, Apr 2018

Revocation functionality and hierarchy key delegation are two necessary and crucial requirements to identity-based cryptosystems. Revocable hierarchical identity-based encryption (RHIBE) has attracted a lot of attention in recent years, many RHIBE schemes have been proposed but shown to be either insecure or bounded where they have to fix the maximum hierarchical depth of RHIBE at setup. In this paper, we propose a new unbounded RHIBE scheme with decryption key exposure resilience and with short public system parameters, and prove our RHIBE scheme to be adaptively secure. Our system model is scalable inherently to accommodate more levels of user adaptively with no adding workload or restarting the system. By carefully designing the hybrid games, we overcome the subtle obstacle in applying the dual system encryption methodology for the unbounded and revocable HIBE. To the best of our knowledge, this is the first construction of adaptively secure unbounded RHIBE scheme.

A PDF file should load here. If you do not see its contents the file may be temporarily unavailable at the journal website or you do not have a PDF plug-in installed and enabled in your browser.

Alternatively, you can download the file locally and open with any standalone PDF reader:

http://journals.plos.org/plosone/article/file?id=10.1371/journal.pone.0195204&type=printable

Unbounded and revocable hierarchical identity-based encryption with adaptive security, decryption key exposure resistant, and short public parameters

April Unbounded and revocable hierarchical identity-based encryption with adaptive security, decryption key exposure resistant, and short public parameters Qianqian Xing☯ 0 1 Baosheng Wang 0 1 Xiaofeng Wang☯ 0 1 Jing Tao 0 1 ☯ These authors contributed equally to this work. 0 1 0 1 0 College of Computer, National University of Defense Technology , Changsha, Hunan , China 1 Editor: Muhammad Khurram Khan, King Saud University , SAUDI ARABIA Revocation functionality and hierarchy key delegation are two necessary and crucial requirements to identity-based cryptosystems. Revocable hierarchical identity-based encryption (RHIBE) has attracted a lot of attention in recent years, many RHIBE schemes have been proposed but shown to be either insecure or bounded where they have to fix the maximum hierarchical depth of RHIBE at setup. In this paper, we propose a new unbounded RHIBE scheme with decryption key exposure resilience and with short public system parameters, and prove our RHIBE scheme to be adaptively secure. Our system model is scalable inherently to accommodate more levels of user adaptively with no adding workload or restarting the system. By carefully designing the hybrid games, we overcome the subtle obstacle in applying the dual system encryption methodology for the unbounded and revocable HIBE. To the best of our knowledge, this is the first construction of adaptively secure unbounded RHIBE scheme. - Data Availability Statement: All relevant data are within the paper. My manuscript focuses on a problem in the cryptography research. All the data for the comparison and evaluation is refered to the relative papers in the references of the paper. Funding: This work was supported by National Basic Research and Development Program of China (973 Program), No. 2012CB315906, http:// program.most.gov.cn/, Baosheng Wang (study design, and decision to publish is his role); and National Key Research and Development Program 1 Introduction Revocation functionality is indispensable to (H)IBE since there are threats of leaking a secret key by hacking or legal situation of expiration of contract for using system. In those seminal works [1] [2], it has also been pointed out that providing an efficient key hierarchy delegation mechanism for IBE is essential. To satisfing both hierarchical key delegation and user revocation, revocable hierarchical identity-based encryption (RHIBE) has been paid attention. Unfortunately most of existing RHIBEs proposed [1] [3] [4] [5] [6] [7] are either insecure or bounded where they have to fix the maximum hierarchical depth of RHIBE at setup. Bounded (R)HIBE schemes restrict the maximum hierarchy of (R)HIBE, i.e., they need to declare the max level in the public parameters at setup phase. It is highly impossible to set the maximum hierarchy properly in practice: too small to accommodate enough users or too large that wastes identity space needlessly and increase keys computation unnecessarily. of China, No. 2017YFB0802301, http://program. most.gov.cn/, Xiaofeng Wang (data analysis and preparation of the manuscript is his role). Competing interests: The authors have declared that no competing interests exist. In contrast, the unbounded RHIBE is more scalable to achieve efficient and dynamic user management. Ryu proposed an unbounded RHIBE scheme [7] inspired by an universe KP-ABE [8]. But it only achieves selective-ID security. In selective-ID security notion, the reduction algorithm requires the challenge identity before the setup phase in the proof [1, 3]. That means the adversary holds no information before giving the challenge ID, but the simulator can exploit the challenge information submitted by the adversary to construct the trick public parameters and other keys in games. That is a weaker security notion. Adaptive-ID security represents full security notion that an adversary gives the challenge identify when he has learnt the public information. Lee [5] considered the adaptively secure RHIBE but his scheme don't support the property of unbounded hierarchical key delegation. Xing [9] claimed to achive the first adaptively secure and unbounded RHIBE, but its security proof that uses the dual system encryption technique has some flaws. Therefore, the construction of an adaptively secure unbounded RHIBE scheme is still an unsolved open problem. 1.1 Our techniques The dual system encryption framework [10] is usually for proving the adaptive security of HIBEs in composite-order bilinear groups. To achieve the adaptive security in the framework, the notion of semi-functionality is introduced [10] [11] and the proof strategy is that a normal challenge ciphertext is changed to be semi-functional, and then each normal private key is changed to be semi-functional one by one through hybrid games. There is a paradox that need to be overcome. Since a normal ciphertext can be decrypted by a semi-functional private key but a semi-functional ciphertext cannot be decrypted by a semi-functional private key, a simulator can check whether a private key is normal or semifunctional by decrypting a semi-functional ciphertext(note that a simulator can generate a ciphertext and a private key for any identity). To overcome the obstacle, the nominally semifunctional type of private keys is introduced: the challenge semi-functional private key is constructed as a nominally semi-functional private key so that the semi-functional ciphertext of the same identity the simulator generates always can be decrypted by it. In addition, a detailed information theoretic argument should be given to argue that a nominally semi-functional key is indistinguishable from a semi-functional key. Although the dual system encryption is maturing to exploit in normal HIBEs to achieve the adaptive security, it is more complex when dealing with revocable HIBE schemes. In HIBE, the essential restriction for the information theoretic argument is that an adversary cannot query a private key for ID that is a prefix of the challenge identity ID . However, the restriction do not exist in RHIBEs. The private key of any prefix of ID and the update key for the challenge time T are both allowed to query for the adversary in RHIBEs. Recall that the simulator of an HIBE scheme can change the normal-private key to a semi-functional private key by using a nominally semi-functional key and the constraint ID 2= Prefix(ID ) of the security model. The nominally semi-functional key is indistinguishable from a semi-functional key by an information theoretic argument using the constraint ID 2= Prefix(ID ). However, in the case of (U-)RHIBE, a simple method cannot change the normal-private key to the semi-functional private key since the adversary can query and achieve the private key for any ID 2 Prefix(ID ). Moreover, an unbounded RHIBE scheme has so low entropy context that it is hard to execute an information-theoretic argument, which is different with those bounded RHIBE schemes. So the dual system encryption method in Lee-RHIBE [5] does not work. Although Lewko and Waters [12] has proposed a nested dual system encryption approach to allow a sufficient information-theoretic argument in a very localized context for unbounded HIBEs, the trival applying to a revocable extention scheme is inappropriate to hold the paradox 2 / 76 information theoretic argument. Unfortunately Xing and Wang [9] have neglected this important change, so that the proof of their unbounded RHIBE scheme is non-rigorous with flaws. Obviously the attacker can distinguish between the oracles they design for the game hoppings in [9], which is not as they claimed in Lemma 4. To circumvent the subtle obstacle and apply the dual system encryption methodology for our adaptively secure unbounded RHIBE with decryption key exposure resistance, our strategy is threehold: (1) We use a modular design strategy like [13] and construct the private keys and update keys from smaller component keys. A private key consists of many HIBE private keys that are related to a path in a binary tree and an update key also consists of many IBE private keys that are related to a cover set in a binary tree. The HIBE and IBE private keys can be grouped together if they are related to the same node in a binary tree. So we change to deal with the transformation of component HIBE and IBE keys in the hybrid games instead of directly with the private keys and update keys of RHIBE which cannot be simply changed from normal keys to semi-functional keys. (2) We design a nested dual system encryption for revocable and hierarchical IBE schemes with the concept of ephemeral semi-functionality for secret keys, update keys, decryption keys and ciphertexts. To demonstrate a hybrid process of games to chellenge keys and ciphertexts, we define several oracles to simulate the different forms of the component HIBE and IBE keys which construct the semi-functional or ephemeral semi-functional secret keys, update keys and decryption keys. (3) For showing an information theoretic argument under RHIBE model successfully, we firstly classify the behavior of an adversary as two types under the restriction of the RHIBE security model. The Type-1 adversary is restricted to queries on the secret keys of any hierarchical identity satistying IDjk 2= Prefix…IDl †, so we carefully re-design a sequence of hybrid games to show several times of information theoretic arguments successfully for the secret keys and avoid a potential paradox for the update keys. The Type-2 adversary is restricted to queries on the update keys on the time T 2= T , so we carefully re-design the other sequence of hybrid games to show several times of information theoretic argument successfully for the update keys and avoid a potential paradox for the secret keys. 1.2 Our result We propose the first adaptively secure unbounded RHIBE in composite-order bilinear groups under simple static assumptions. It removes the limitation of the maximum hierarchical depth in the encryption system and accommodate more levels of user adaptively without adding workload or restarting the system. Our RHIBE scheme also supports decryption key exposure resistance by the key-randomization method which meets the strong security notion for R(H) IBE [14]. Compared to existing RHIBE schemes, it is the first RHIBE to achieve simultaneously adaptive-ID security, decryption key exposure resistance and unbounded key delegation, as shown in Table 1. In Table 2, we discuss the comparison about the efficiency of key space and decryption computation, noted that l is the maximum level of the hierarchy, h is the level of a user in the hierarchy, N is the number of maximum users in each level, r is the number of revoked users, te is the cost for performing a bilinear pairing, |G| and |GT| are the sizes of one element in G and GT respectively. Our RHIBE scheme has the short and constant public parameter which is independent with the maximum level of the system hierarchy. Moreover, our RHIBE reduces the size of the update key from O(hrlog(N/r))to O(h + rlog(N/r)). 3 / 76 Adaptive-ID security × × × × p p DKE resist. × p p p p p p p Assumption DBDH q-Type static q-RW2 q-Type static static static 1.3 Related works Efficient user revocation in RHIBE. An efficient tree-based key updating technique called the complete subtree (CS) method is a specific instance of the subset cover framework of Naor et al. [15]. In the scalable RIBEs using the CS method [16] [ 17 ] [14] [ 18 ] [ 19 ], every user holds a secret key composed of logN subkeys, where N is the number of all users, and only one subkey of a non-revoked user can be used to generate a decryption key. If we directly extend this mechanism to RHIBE scheme, the second-level user need to prepare (logN)2 subkeys since for every subkey of his parent he needs to generate logN subkeys respectively, which results to (logN)l subkeys for an l-level user. Tsai et al. simply set the update key as another secret key in their RHIBE scheme [4]. Their construction is just as a trivial combination of two concurrent HIBE system, one for the derivation of secret keys and another for update keys. Lack of any efficient method of update and revocation, the size of the update key depends on the size of users linearly instead of logarithmically. Moreover, his approach require a new key center for update keys (called delegated revocation authority, DRA). That double deployment of key centers increases the system cost. Seo and Emura proposed a revocable HIBE scheme [1] with (l2logN)-size secret keys for a user, where l is the maximum hierarchical level. This history preserving update method leads to a lengthy history information in an update key and requires the recursive definition of secret keys and update keys. Afterward Seo proposed a RHIBE with (l logN)-size secret keys for a user by a history-free update method. Recently, Lee and Park [13] proposed a new RHIBE scheme with shorter private keys and update keys by combining a new HIBE scheme that has short intermediate private keys and the CS scheme in a modular way, where the size of the secret key is (logN) and the size of the update key is (l + rlog(N/r)). Another revocation method called the subset difference (SD) method [ 20 ] was utilized to 4 / 76 construct the RHIBE in [3] [13] [5]. Although this method has better performance in the transmission complexity, it has larger secret key size than the CS method. Security model of R(H)IBE. Decryption key exposure resistance (DKER) has be considered by Seo [14], which discusses about the case where several decryption keys dkI , T for the target identity I are leaked to an adversary but the target decryption key dkI , T is not exposed. Another attacks should be considered like insiders attack [3]. Since the hierarchical structure in RHIBE determines that every user as a low-level KGC hold the state information about his low-level children users, a stronger security model than RIBE should be considered where it allows an insider adversary to access at least their own state information. The key re-randomization method [3] is an operable way to resist this attack and also decryption key enclosure attack mentioned in [3, 14]. Adaptive security of R(H)IBE. By employing dual system encryption methodology [10, 11], the adaptive-ID security can be directly proved in (H)IBE. But the security model of revocable HIBE is different from general HIBEs, since the system of RHIBE just not allow the decryption key query of the challenge identity and its ancestor at the challenge time, but allows the secret key query of the challenge identity and its ancestor identity. Therefore, the dual system encryption of RHIBE is more complex than general dual system of HIBE. Those adaptiveID secure RHIBEs [6] [5] employed the dual system encryptions which are applicable to bounded schemes. Their proof strategy cannot be employed to unbounded (R)HIBE schemes, cause the limited entropy available in the public parameters in unbounded schemes makes it difficult to construct the nominally semi-functional key without information-theoretic exposure. By applying the dual system encryption methodology in prime-order, Yohei [21] realizes an RIBE scheme with constant-size public parameter under static assumptions in prime-order groups. 2 Preliminaries 2.1 Revocable HIBE Definition 1 We define a RHIBE scheme π = (Setup, GenKey, DeriveKey, UpdateKey, Encrypt, Decrypt, Revoke) as following: 1. Setup(1λ): It takes a security parameter λ, and outputs a master public key PP, a master secret key MK, initial state ST0, and an empty revocation list RL. Note that we don’t require the maximum number of users in each level as an input parameter, unlike the defination by all the bounded RHIBEs. 2. GenKey(ID|k, STID|k−1, PP): This algorithm takes as input STID|k−1 and an identity ID|k outputs the secret key SKID|k, and updates STID|k−1. 3. UpdateKey(T, RLID|k−1, DKID|k−1,T, STID|k−1, PP): This algorithm takes as input the revocation list RLID|k−1, state information STID|k−1, the decryption key DKID|k−1,T, and a time period T. Then, it outputs the update key UKID|k−1,T. 4. DeriveKey(SKID|k, UKID|k−1,T, PP): This algorithm takes as input SKID|k of ID|k and UKID|k−1,T, and outputs the decryption key DKID|k,T of ID|k at time T if ID|k is not revoked at T by the parent, else outputs ?. 5. Encrypt(ID|l, T, M, PP): This algorithm takes as input a message M, ID|l and the current time T and outputs the ciphertext CT. 6. Decrypt(CTID|l, T, DKID0|k, T0, PP): This algorithm takes as input CTID|l, T and DKID0|k, T0, and outputs the message if ID0|k is a prefix of ID|l and T T = T0, else outputs ?. 5 / 76 7. Revoke(RLID|k−1, STID|k−1, ID|k, T): This algorithm takes as input ID|k and T, updates RLID|k−1 managed by ID|k−1, who is the parent user of ID|k, by adding (ID|k, T). Definition 2 We define an experiment under the adaptive-ID security against chosen plaintext attacks model in [5], as named ªIND-RID-CPAº security. ExpIpN;AD RID CPA…l† : …MK; PP; RLε; STε† Setup…1l†; …M0 ; M1 ; IDjk; T ; ST† AO…Find; PP†; b R f0; 1g; CT Encrypt…PP; IDjk; T ; M †; b b0 AO…Guess; CT ; ST†; Return 1 if b0 ˆ b and 0 otherwise: In the above experiment, O is a set of oracles {SKGenQ( ), KeyUpQ( , ), RevokeQ( , ), DKGenQ( , )} defined as follows: · SKGenQ( ): For ID|k 2 I k, it returns SKID|k (by running GenKey(ID|k, STID|k−1, PP)! SKID|k). · KeyUpQ( , ): For T 2 T and BTID|k−1, it returns KUT, ID|k−1 (by running UpdateKey(T, RLID|k−1, DKID|k−1, STID|k−1, PP) ! KUt). · RevokeQ( , ): For ID|k 2 I k and T 2 T , it returns the updated revocation list RL (by running Revoke(RLID|k−1, STID|k−1, ID|k, T)). UKID|k−1, T, PP)!DKID|k, T). · DKGenQ( , ): For ID|k 2 I k and T 2 T , it returns DKID|k, T (by running DeriveKey(SKID|k, A is allowed to issue the above oracles with the following restrictions: 1. RevokeQ( , ) can be queried on time T if KeyUpQ( ) was queried on T. 2. DKGenQ( , ) cannot be queried on time T before KeyUpQ( ) was queried on T. 3. If A requested a private key query for IDk that is a prefix of IDl where k tity IDk or one of its ancestors should be revoked at some time T where T l, then the iden T . 4. A cannot request a decryption key query for the challenge identity ID |l or its ancestors on the challenge time T . 5. A cannot request a revocation query for ID|k on time T if he already requested an update key query for ID|k in time T. 6. A must query to KeyUp( , ) and Revoke( , ) for same identity in increasing order of time. The advantage of A is defined as AdvARHIBE…l† ˆ jPr…b ˆ b0† 0:5j. We say that RHIBE is IND-RID-CPA secure if for all PPT adversary A, his advantage AdvARHIBE…l† is negligible in the security parameter λ. 2.2 Complexity assumptions We generate …n; G; GT ; e† G where G and GT be cyclic groups with order N and p = p1 p2 p3, p1, p2, p3 are distinct prime numbers, e: G×G! GT is an efficient, nondegenerate bilinear map. We denote the subgroup of G with order pi as Gpi. We define a function AdvG;A…l† ˆ jPr‰A…D; T1†Š Pr‰A…D; T2†Šj for any PPT algorithm A and parameters D, T1, T2. 6 / 76 Assumption 1. Let g R Gp1 , D ˆ …G; g†, T1 R Gp1p2 , T2 R Gp1 , we say that G satisfies Assumption 1 if AdvG;A…l† is a negligible function of λ for any PPT algorithm is A. Assumption 2. Let g R Gp1 , g2; X2; Y2 R Gp2 , g3 R Gp3 , a; s R Zn, T1 be e(g, g)αs, T2 R GT, D = …G; g; g2; g3; gaX2; gsY2†, we say that G satisfies Assumption 2 if AdvG;A…l† is a negligible function of λ for any PPT algorithm is A. Assumption 3. Let g; X1 R Gp1 , g2 R Gp2 , X3 R Gp3 , T1 R Gp1 , T2 R Gp1p3 , D = …G; g; g2; X1X3†, we say that G satisfies Assumption 3 if AdvG;A…l† is a negligible function of λ for any PPT algorithm is A. Assumption 4. Let g; X1 R Gp1 , X2; Y2 R Gp2 , g3; Y3 R Gp3 , T1 R Gp1p3 , T2 R G, D = …G; g; g3; X1X2; Y2Y3†, we say that G satisfies Assumption 4 if AdvG;A…l† is a negligible function of λ for any PPT algorithm is A. 3 Design of U-RHIBE system We firstly describe the key encapsulation mechanism (KEM) version of the unbounded HIBE scheme [12] and its 1-level (H)IBE scheme that are used as the building blocks of our RHIBE schemes. Let GS ˆ ……N ˆ p1p2p3; G; GT ; e†; g; g2; g3† G…l† be the bilinear group, where λ is a security parameter and g2 denotes a generator of Gp2, g3 denotes a generator of Gp3 and g be a generator of Gp1. 3.1 HIBE scheme We define a key-group function κ(I, y, r) as the group elements and an expression gλ κ(I, y, r) as k…I; y; r† ˆ …wy; gy; gr; …uIh†rvy† glk…I; y; r† ˆ …glwy; gy; gr; …uIh†rvy† HIBE.Setup(GS): It selects u; h; w; v R Gp1 and a R Zp. It outputs a master key MK = α and public parameters PP = ((p, G, GT, e), g, u, h, w, v, O = e(g, g)α). HIBE.GenKey(ID|k, MK, PP): Let the identity IDjk ˆ …I1; . . . ; Ik† 2 I k, and I ˆ f0; 1gl be the identity space. It chooses l1 lk; r1 rk; y1 yk R Zp where λ1 + + λk = α and outputs a private key SKIDjk ˆ fKi ˆ gli k…Ii; yi; ri†; i ˆ 1 kg. HIBE.RandKey(ID|k, SKID|k, PP): Let SKIDjk ˆ …fKi0;0; Ki;1 0 ; Ki0;3gikˆ1†. It chooses 0 ; Ki;2 l1 lk; r1 rk; y1 yk R Zp where λ1 + + λk = 0 and outputs a re-randomized private key SKIDjk ˆ fKi0;0gli wyi ; Ki0;1gyi ; Ki0;2gri ; …uIi h†ri vyi Ki0;3gikˆ1†. l1 HIBE.Delegate(ID|k, SKID|k−1, PP): Let SKIDjk 1 ˆ …fKi0;0; Ki0;1; Ki0;2; Ki0;3gikˆ11†. It chooses lk; yk; rk R Zp where λ1 + + λk = 0 and creates a temporal delegated private key 0 ; Ki;2 k 1 TSKIDjk ˆ …fKi0;0gli ; Ki;1 0 ; Ki0;3giˆ1 ; glk k…Ik; yk; rk††. Next, it outputs a delegated private key SKID|k by running HIBE.RandKey(ID|k, TSKID|k, PP). HIBE.Encaps(ID|l, s, PP): Let ID|l = (I1, . . ., Il) 2 Il. It chooses t1; ; tk R Zp and outputs a ciphertext CTIDjl ˆ …gs; fwsvti ; …uIi h†ti ; gti gliˆ1† and a session key EK = Os. HIBE.Decaps(CTID|l, SKID0|k, PP): Let CTIDjl ˆ …C0; fCi;1; Ci;2; Ci;3gliˆ1†, EK ˆ SKID0jk Qˆ …K0; fKi;1; Ki;2; Ki;3gikˆ1†. If ID0|k is a prefix of ID|l, it outputs a session key ikˆ1…e…C0; Ki;0†e…Ci;3; Ki;3†=…e…Ci;1; Ki;1† e(Ci,2, Ki,2))). Otherwise, it outputs ?. 7 / 76 Additionally, we introduce two algorithms for our modular RHIBE construction, the ChangeKey algorithm and the MergeKey algorithm, which are defined similarly with the algorithms in [5]. HIBE.ChangeKey(SKID|K, δ, PP): Let SKIDjk ˆ …fKi0;0; Ki;1 0 ; Ki0;3gikˆ1†. It chooses 0 ; Ki;2 l1 lk R Zp where λ1 + new private key SKID|K + λk = δ and sets TSK ˆ …fKi;0gli ; Ki;1; Ki;2; Ki;3gjkˆ1†. It outputs a HIBE.RandKey(ID|k, TSK(n), PP). HIBE.MergeKey…SKI…D1†jK ; SKI…D2†jK ; Z; PP†: Let SKI…D1†jk ˆ …fKi0;0; Ki;1 0 ; Ki0;3gikˆ1† and 0 ; Ki;2 SKI…D2†jk ˆ …fKi0;00; Ki0;01; Ki0;02; Ki0;03gikˆ1† be two private keys for the same identity ID|K. It computes a temporal private key TSK ˆ …fKi0;0 Ki0;00; Ki0;1 Ki0;01; Ki0;2 Ki0;02; Ki0;3 Ki0;03gikˆ1†. Next, it outputs a merged private key SKID|K HIBE.ChangeKey(TSK, η, PP). Note that the master key part is α1 + α2 + η if the master key parts of SKI…D1†jK and SKI…D2†jK are α1 and α2 respectively. 3.2 IBE scheme A trivial extension to RHIBE from the HIBE in [12] constructs the decryption key of (T, ID|k) P as fD0 ˆ gl0 k…T; y0; r0†; Di ˆ gli k…Ii; yi; ri†; i ˆ 1 kj ikˆ0 li ˆ ag. It remains some problem in the proof of RHIBE model, where the information theoretic argument is not easy to show as of the model of HIBE. So we modify the construction by defining a new update-keygroup function as kT …T; y; r† ˆ …wy0; gy; gr; …u0T h0†rv0y† …1† and D0 = gl0 kT …T; y0; r0†, which is constructed from the component IBE secret key. IBE.Setup(GS): It selects u; h; w; v R Gp1 and a R Zp. It outputs a master key MK = β and public parameters PP = ((p, G, GT, e), g, u0, h0, w0, v0, O = e(g, g)β). IBE.GenKey(T, MK, PP): This algorithm takes as input a time T and the master key MK, and the public parameters PP. It chooses r; y R Zp and outputs a IBE secret key SKT = gα κT(T, y, r). IBE.RandKey(T, SKT, PP): Let the private key be SKT ˆ …K00; K10 ; K20 ; K30 †. It chooses r; y R Zp and outputs a re-randomized private key SKT ˆ …K0 ˆ K00 wy0; K1 ˆ K10gy; K2 ˆ K20 gr; K3 ˆ K30…u0T h0†rv0y†. IBE.Encaps(T, s, PP): It chooses t R Zp and outputs a ciphertext CTT ˆ …C0 ˆ gs; C1 ˆ ws0v0t; C2 ˆ …u0T h0†t; C3 ˆ gt† and the session key EK = Os. IBE.Decaps(CTT, SKT0, PP): Let the ciphertext CTT = (C0, C1, C2, C3), the private key SKT = (K0, K1, K2, K3). If T = T0, it outputs a session key EK = e(C0, K0)e(C3, K3)/(e(C1, K1) e(C2, K2)). Otherwise, it outputs ?. The contruction of IBE.ChangeKey and IBE.MergeKey is similar with HIBE.ChangeKey and HIBE.MergeKey and we omit them here. 3.3 The CS method We exploit the complete subtree (CS) method to construct our RHIBE scheme. We follow the definition of the CS scheme in the work of Lee and Park [ 22 ]. CS.Setup(Nmax): Let Nmax = 2n. It first sets a full binary tree BT of depth n. Each user is assigned to a different leaf node in BT . The collection S is defined as {Si} where Si is the set of all leaves in a subtree T i with a subroot vi 2 BT . It outputs the full binary tree BT . CS.Assign…BT ; ID†: Let vID be a leaf node of BT that is assigned to the user ID. Let (vk0, vk1, , vkn) be the path from the root node vk0 = v0 to the leaf node vkn = vID. For all j 2 {k0, , kn}, it adds Sj into PVID. It outputs the private set PVID = {Sj}. 8 / 76 CS.Cover…BT ; R†: It first computes the Steiner tree ST(R). Let T k1 ; ; T km be all the subtrees of BT that hang off ST(R), that is all subtrees whose roots vk1, , vkm are not in ST(R) but adjacent to nodes of outdegree 1 in ST(R). For all i 2 {k1, , km}, it adds Si into CVR. It outputs a covering set CVR = {Si}. CS.Match(CVR, PVID): It finds a subset Sk with Sk 2 CVR and Sk 2 PVID. If there is such a subset, it outputs Sk. Otherwise, it outputs ?. 3.4 Construction RHIBE.Setup(1λ, Nmax): The Setup algorithm takes a security parameter λ and a maximum number of users for each level Nmax as input. It firstly runs G to obtains two groups G, GT of order p = p1p2p3, where p1, p2, p3 are distinct primes, and a bilinear map e: G×G!GT. It sets GS = ((N, G, GT, e), g, g2, g3) where g, g2 and g3 denote the generators of Gp1, Gp2, and Gp3 in order. It selects a random exponent α 2 Zp, set O be e(g, g)α. It outputs a master key MK = α and public parameters PP = (PPHIBE, PPIBE, O, Nmax), where PPHIBE HIBE.Setup(GS), and PPIBE IBE.Setup(GS). RHIBE.GenKey(ID|k, STID|k−1, PP): This algorithm takes as input an identity ID|k = (I1, . . ., Ik) 2 I k, the state STID|k−1 which contains BTID|k−1. 1. If STID|k−1 is empty, it obtains BTID|k−1 CS.Setup(Nmax) and then it sets STID|k−1 = (BTID|k−1, βIDk−1, zIDk−1), where βIDk−1 is a false master key and zIDk−1 is a PRF key. 2. It first assigns ID|k to a random leaf node v 2 BTID|k−1 and obtains a node set Path(ID|k) CS.Assign(BTID|k−1, ID|k) for ID|k. For each Sθ 2 Path, it computes γθ = PRF (zIDk−1, Lθ) where Lθ = Label (Sθ) and obtains an HIBE private key SKHIBE,Sθ HIBE.GenKey(ID|k, γθ, PP). Finally, it outputs a private key SKID|k = (Path, {SKHIBE, Sθ}Sθ 2 Path). Note that the master key part of SKHIBE,Sθ is γθ. the state STID|k−1 = (BTID|k−1, βID|k−1, zID|k−1) with k RHIBE.UpdateKey(T, RLID|k−1, DKID|k−1, STID|k−1, PP): let DKIDjk 1;T ˆ …RSKHIBE;IDjk 1 ; RSKI0BE;T †, 1. 1. It first obtains a randomized decryption key RDKID|k−1,T as (RSKIBE, RSKHIBE) RHIBE. RandDK(DKID|k,T, −βID|k−1, PP). 2. It derives the set of revoked identities R at time T from RLID|k−1. Next, it obtains a covering set CVR = {Si} by running CS.Cover(BTID|k−1, R). 3. For each Si 2 CVR, it computes γi = PRF(zIDk−1, Li) where Li = Label(Si) and obtains an IBE private key SKI0BE;Si IBE:GenKey…T; γi; PP†. Then It computes SKIBE;Si IBE:MergeKey…SKI0BE;Si ; RSKIBE; bIDk 1 ; PP† 4. It finally outputs an update key UKID|k−1,T = (CVR, {SKIBE, Si, RSKHIBE}Si 2 CVR). Note that the master key parts of RSKHIBE and SKIBE,Si are η0 and α − η0 − γi for some random η0 respectively. RHIBE.DeriveKey(SKID|k, UKID|k−1,T, PP): This algorithm takes as input a private key SKID|k = (Path, {SKHIBE,Sθ}Sθ 2 Path) for an identity ID|k, an update key UKIDjk 1;T ˆ …CVR; fSKIBE;Si ; RSKH0IBE;IDjk 1 gSi2CVR † for time T. 1. If K = 0, then SKID|0 = MK = α and UKID|−1,T is empty. It selects a random exponent η 2 Zp. It then obtains RSKHIBE, ID|0 HIBE.GenKey(ID|0, η, PP) and RSKIBE,T IBE.GenKey(T, α − η, PP). It outputs a decryption key DKID|0,T = (RSKIBE, T, RSKHIBE, ID|0). 9 / 76 3. It obtains RSKH00IBE;IDjk HIBE:Delegate…IDjk; RSKH0IBE;IDjk 1 ; PP) since ID|k−1 2 Prefix(ID|k). Next, it selects a random exponent η 2 Zp, obtains RSKHIBE;IDjk SKHIBE,Si, η, PP) and obtains RSKIBE,T IBE.ChangeKey(SKIBE,Si, −η, PP) respectively. Finally, it outputs a decryption key DKID|k,T = (RSKIBE,T, RSKHIBE, ID|k). HIBE:MergeKey…RSKH00IBE;IDjk ; Note that the master key parts of RSKHIBE, ID|k and RSKIBE, T are η0 and α − η0 for some random η0 respectively. RHIBE.RandDK…DKI0Djk;T ; b; PP†: Let DKI0Djk;T ˆ …RSKI0BE;T ; RSKH0IBE;IDjk †, and HIBE:ChangeKey…RSKH0IBE;IDjk ; Z; PP† and RSKIBE;T It outputs a re-randomized decryption key DKID|k,T = (RSKIBE,T, RSKHIBE, ID|k). RHIBE.Encrypt(ID|l, T, M, PP): This algorithm takes as input an identity IDjl ˆ …I1; . . . ; Il† 2 I l, time T, a message M 2 M. It chooses a random exponent t 2 Zp. Next it obtains (CHHIBE,ID|l, EKHIBE) HIBE.Encaps(ID|l, t, PP). It also obtains (CHIBE,T, EKIBE) IBE.Encaps(T, t, PP). It outputs a ciphertext CTID|k,T = (CHIBE,T, CHHIBE,ID|l, C = Ot M). RHIBE.Decrypt(CTID|l,T, DKID0|k,T0, PP): This algorithm takes as input a ciphertext CTID|l,T = (CHIBE,T, CHHIBE,ID|l, C), a decryption key DKID0|k,T0 = (RSKIBE,T0, RSKHIBE,ID0|k). If ID0|k is a prefix of ID|l and T = T0, then it obtains EKHIBE HIBE.Decaps(CHHIBE,ID|l, RSKHIBE,ID|k, PP) and EKIBE IBE.Decaps(CHIBE,T, RSKIBE,T, PP). Otherwise, it outputs ?. It outputs an encrypted message by computing M = C (EKHIBE EKIBE)−1. RHIBE.Revoke(ID|k, T, RLID|k−1, STID|k−1): This algorithm takes as input an identity ID|k, revocation time T, the revocation list RLID|k−1, and the state STID|k−1. If (ID|k, −) 2= STID|k−1, then it outputs ? since the private key of ID|k was not generated. Otherwise, it adds (ID|k, T) to RLID|k−1 and outputs the updated revocation list RLID|k−1. 3.5 Correctness tion key DKID|k,T as If a user is not revoked at time T, the RHIBE.DeriveKey algorithm correctly derive his decrypThe RHIBE.Decrypt algorithm takes CTID|l,T as input, where …ga Qikˆ1li wb00 ; gb0 ; gr0 ; …u0T h0†r0 v0b0 ; fgli wbi ; gbi ; gri ; …uIi h†ri vbi gikˆ1† CTIDjl;T ˆ …gs; ws0v0t; …u0T h0†t; gt; fwsvti ; …uIi h†ti ; gti gliˆ1†; and computes B = C/M as B ˆ e…gs; gawb00 Qikˆ1 wbi †e…gt0 ; …uI00 h0†r0 v0b0 † Yk e…ws0v0t0 ; gb0 †e……u0T h0†t0 ; gr0 † e…gti ; …uIi h†ri vbi † iˆ1 …e…wsvti ; gbi †e……uIi h†ti ; gri †† ˆ Os 4 Security analysis We use the dual system encryption proof techinique to prove the adaptive security of our U-RHIBE. We adopt the concept of ephemeral semi-functionality [12] and design a new nested dual system encryption for unbounded RHIBEs. As an intermediary transforming stage between the normal and semi-functional distributions, the ephemeral semi-functionality helps us to overcome the challenge presented by low entropy in the public parameters. 10 / 76 Theorem 1 Our unbounded RHIBE scheme is IND-RID-CPA secure if Assumption 1–4 hold. Proof We firstly define the semi-functional type and the ephemeral semi-functional types of keys and ciphertexts in Sec.4.1 which represent the types of keys and ciphertexts answered to the queries in the challenge game. Secondly we conduct the security proof by the indistinguishabilities of a sequence of hybrid games that we define in Sec.4.2. 4.1 Definition of (ephemeral) semi-functional keys and ciphertexts For constructing the different types of ciphertexts, secret keys, update keys and decryption keys, the challenger B is initially given renadom elements g, u, v, w, u0, v0, w0 2 Gp1, g2 2 Gp2, g3 2 Gp3, as well as random exponents ψ1, ψ2, σ1, σ2, a0, b0, s, δ1, δ2, γ. We define the semi-functional ciphertext and five types of ephemeral semi-functional ciphertexts of a normal ciphertext CTID|l,T by changing the C0 element into Gp1p2 and the l + 1 numbers of the ciphertext-element-groups (Ci,1, Ci,2, Ci,3) into different types. The definations of ephemeral semi-functional ciphertexts called ESF-1-CT, ESF-2k-CT, ESF-3k-CT, ESF-4kCT and ESF-5-CT where 0 k l are in Appendix.A. In the definations of the semi-functional ciphertext, we add Gp2 term on the first element of all ciphertext-element-groups. RHIBE.EncryptSF: It firstly obtains the normal ciphertext CTID|l,T = (C, C0, fCi;1; Ci;2; Ci;3gliˆ0) for an identity IDjl ˆ …I1; . . . ; Ik† 2 I k, a time T 2 T and a message M 2 M. It chooses exponents γ, δ1, δ2 2 Zp and outputs the SF-CT CfT IDjl;T as …C; C0 g2g; C0;1 g2d2 ; C0;2; C0;3; fCi;1 g2d1 ; Ci;2; Ci;3gliˆ1† As we mentioned before, our normal secret key and update key cannot be simply changed to semi-functional keys as same as in [11] one by one owing to the inefficiency of the information theoretic argument in our scheme. And we divide secret keys and update keys into samll component keys which are group together if they are related to the same node in a binary tree. We only change the last element-group of our normal secret key for constructing the semifunctional secret key and the ephemeral semi-functional secret key like in [11]. We define one type of semi-functional secret key and five types of ephemeral semi-functional secret key. The defination of ephemeral semi-functional secret key called ESF-1-SK, ESF-2-SK, ESF-3-SK, ESF-4-SK and ESF-5-SK are in Appendix.A. In the defination of the semi-functional secret key, we add Gp2 p3 term on the first 2 elements and the last element of the last element-group. RHIBE.SKeySF …IDjj; STIDjj 1 ; PP; y† ! SfK HIBE;Sy : It constructs the correlative sub-key SKHIBE;Sy ˆ …fKi;0; Ki;1; Ki;2; Ki;3gjiˆ1† to the node θ 2 Path(IDj) in the BTID|j−1 as follows: It chooses random exponents y0, r 2 Zp and choose σ1, ψ1 2 Zp, then it constructs κsf(Ij, y0, r) for the last element-group as wy0 …g2g3†y0c1 ; gy0 …g2g3†y0 ; gr; vy0 …g2g3†y0s1 …uIj h†r† And the contruction of the other element-groups follows the construction of SKHIBE,Sθ in RHIBE.GenKey. We define one type of semi-functional update key and five types of ephemeral semi-functional update key. The defination of ephemeral semi-functional update key called ESF-1-UK, ESF-2-UK, ESF-3-UK, ESF-4-UK and ESF-5-UK are in Appendix.A. The constructions from the normal component update key to the (ephemeral) semi-functional component update keys are similar to that of secret keys, expect that we change the first element group of normal component update key to different types. 11 / 76 RHIBE.UpdateKeySF …T; STIDjk 1 ; RLIDjk 1;T ; PP; y† ! TgUK : It constructs the correlative component key TUKIDjj 1;T;y ˆ …fUi;0; Ui;1; Ui;2; Ui;3gikˆ01† to the node θ 2 KUNode as follows: It chooses random exponents y0, r 2 Zp and choose σ2, ψ2 2 Zp, then it constructs ksTf …T; y0; r† of the first element-group (U0,0, U0,1, U0,2, U0,3) as from UgK IDjk 1;T for the node θ . Then the semi-functional decryption key DgK IDjk;T is DgK IDjk;T ˆ …fDe i;0; De i;1; De i;2; De i;3gikˆ0† as e e e e k 1; Ke k;0; Ke k;1; Ke k;2; Ke k;3 Ue 0;0; Ue 0;1; Ue 0;2; Ue 0;3; fUe i;0K i;0; Ue i;1K i;1; Ue i;2K i;2; Ue i;3K i;3giˆ1 Then we re-randomize it by running RHIBE.RandDK and output it. 4.2 Sequence of games We define a squence of games to verify the advantage in distinguishing GReal and GFinal is negligible. In Table 3, we give the types of key in the queries and the challenge cipertext in every game, and the decryption situation according to the types of keys and ciphertexts. GReal: It is the original game in which all seceret keys, update keys, decryption keys and ciphertexts are normal. GC: The challenge ciphertext is changed to be semi-functional and all other keys are still normal. GC0: This game is exactly like GameC, except for a added restriction about the challenge key identity vector. We explain the restriction in Sec.4.6. GE−S: The secret keys are changed to ESF-2. The update keys and decryption keys are still normal. The challenge ciphertext is semi-functional. This game is used in the proof of the security against Type-1 adversary. GE−U: The update keys are changed to ESF-2. The secret keys and decryption keys are still normal. The challenge ciphertext is semi-functional. This game is used in the proof of the security against Type-2 adversary. GE−S0: This game is almost as same as GE−S except the challenge ciphertext is chaged to ESF1. This game is used in the proof of the security against Type-1 adversary. GE−U0: This game is almost as same as GE−U where the update keys are ESF-2, the secret keys and decryption keys are normal, except the challenge ciphertext is chaged to ESF-1. This game is used in the proof of the security against Type-2 adversary. GESF0: The update keys and secret keys are all changed to ESF-2. The challenge ciphertext is changed to ESF-1. The decryption keys are still normal. GSF00: All secret keys, update keys, and challenge ciphertext are changed to semi-functional. The decryption keys are still normal. 12 / 76 SK Normal Normal Normal ESF − 2 Normal ESF − 2 Normal ESF − 2 SF SF SF SF SF Key Types in Queries UK Normal Normal Normal Normal ESF − 2 Normal ESF − 2 ESF − 2 SF SF SF SF SF DK Normal Normal Normal Normal Normal Normal Normal Normal Normal ESF − 2 ESF − 2 SF SF Normal p The decryption situation according to the type of keys and ciphertexts in different games is for the challenger B to check whether the keys are nominally semi-functional SkKeyGs.enpQ manedanKsetyhUaptQthbeodtehcarryeptaibolne ktoeydeacnrsywpetrtehdebcyipthheerqteuxetr.y DKmGeaennsQtahnadt othnelydtehreivdeedcdryepctriyopntikoenykaenyswfreormedthbeyctohrerqesupeoryndDiKngGseencQreits kaebyleatnodduepcrdyaptet tkheeycoipuhtpeurtteexdt.bJy means that neither the queried decryption key nor the derived decryption key is able to decrypt the ciphertext. GE−D: The decryption keys are changed to ESF-2. The other keys and the challenge ciphertext are still semi-functional. GESF: The challenge ciphertext is changed to ESF-1. The update keys and secret keys are all still semi-functional. The decryption keys are still ESF-2. GSF0: The challenge ciphertext is changed to semi-functional. The decryption keys are changed to be semi-functional. That is, all secret keys, update keys, decryption keys, and challenge ciphertext are now semi-functional. This game is exactly like GSF, except for a added restriction about the challenge key identity vector. We explain the restriction in Sec.4.6. GSF: The challenge ciphertext and all keys are semi-functional. GFinal: The session key is changed to be random and so the adversary has no advantage to distinguish the challenge massage. Let AdvARHIBE be the advantage of A in the real game. From the all the lemmas in this section, we obtain the following equation AdvARHIBE…l† jAdvAGReal …l† AdvAGC …l†j ‡ jAdvAGC …l† AdvAGC0 …l†j ‡ jAdvAGC0 …l† ‡ jAdvAGSF …l† AdvBA1…l† ‡ AdvBA2…l† AdvAGSF0 …l†j ‡ jAdvAGSF0 …l† AdvAGSF …l†j AdvAGFinal …l†j ‡ …O…qnlogNmax† ‡ O…qnrmaxlogNmax† ‡ O…l††…AdvBA3 ‡ AdvBA4† 4.3 Definition of oracles We introduce seven oracles which answer queries from the challenger B by sampling various distributions of group elements from a composite order bilinear group. The outputs of Oracle 13 / 76 Oi will allow a simulator to produce different type of secret keys, update keys and decryption keys, different type of ciphertext and challenge keys for one corresponding game demonstrated in Table 3. All oracles are defined with respect to a bilinear group G of order p = p1p2p3 and initially choose random elements g, u, v, w, u0, v0, w0 2 Gp1, g2 2 Gp2, g3 2 Gp3 as well as random exponents ψ1, ψ2, σ1, σ2, a0, b0, s, δ1, δ2, γ 2 Zn. They provide the attacker with a description of the group G, as well as the group elements g; u; v; w; gsg2g; wy…g2g3†yc1 ; gy…g2g3†y; vy…g2g3†ys1 ; u0; v0; w0; wy00 …g2g3†y0c2 ; gy0 …g2g3†y0 ; v0y0 …g2g3†y0s2 …2† Every oracle is allowed to simulate the semi-functional ciphertexts, normal and semi-functional (H)IBE private keys according to the provided group elements in Eq 2. We define the oracles from O0 to O4 in which the simulators will be allowed to produce a normal challenge decryption key. The outputs of Oracle O0 will allow a simulator to produce a semi-functional challenge ciphertext, a normal challenge (H)IBE private key. The outputs of Oracle O1 will allow a simulator to produce a semi-functional challenge ciphertext, a type-2 ephemeral semifunctional (ESF-2) challenge HIBE private key and a normal challenge IBE private key. The outputs of Oracle O1+ will allow a simulator to produce a semi-functional challenge ciphertext, an type-2 ephemeral semi-functional (ESF-2) challenge IBE private key an normal challenge HIBE private key. The outputs of Oracle O3 will allow a simulator to produce a type-1 ephemeral semi-functional(ESF-1) ciphertext, and a type-2 ephemeral semi-functional(ESF-2) challenge (H)IBE private key. Finally, the outputs of Oracle O4 will allow a simulator to produce a semi-functional challenge ciphertext, and a semi-functional challenge (H)IBE private key. We define the oracles from O5 to O7 in which the simulators will be allowed to produce a semi-functional challenge (H)IBE key. The outputs of Oracle O5 will allow a simulator to produce a semi-functional ciphertext, and an ephemeral semi-functional challenge decryption key. The outputs of Oracle O6 will allow a simulator to produce an type-1 ephemeral semifunctional(ESF-1) ciphertext, and a type-2 ephemeral semi-functional(ESF-2) challenge decryption key. Finally, the outputs of Oracle O7 will allow a simulator to produce a semi-functional ciphertext, and a semi-functional challenge decryption key. Oracle O0 The first oracle, which we will denote by O0, responds to queries as follows. Upon receiving a challenge HIBE-key-type query for I 2 Zn, it chooses r, y0 2 Zn randomly and returns the group elements …3† …4† …5† …6† to the attacker. Upon receiving a challenge IBE-key-type query for T 2 Zn, it chooses r0, y00 2 Zn randomly and returns the group elements to the attacker. Upon receiving a challenge decryption-key-type query for I 2 Zn and T 2 Zn, it chooses r, y0, r0, y00 2 Zn randomly and returns the group elements wy0 ; gy0 ; vy0 …uIh†r; gr; wy000 ; gy00 ; v0y00 …u0T h0†r0 ; gr0 † to the attacker. Upon receiving a ciphertext-type query for I 2 Zn, it chooses t 2 Zn randomly and returns the group elements …wsg2d1 vt; gt; …uI h†t† to the attacker. It responds to a challenge decryption-key-type query in the same way as O0. Oracle O3 The next oracle, which we will denote by O3, responds to queries as follows. Upon receiving a challenge HIBE-key-type query and a ciphertext-type query, it responds in the same way as O2. Upon receiving a challenge IBE-key-type query for I 2 Zn, it chooses r00, y000 2 Zn randomly, and also chooses X2, Y2 2 Gp2, X3, Y3 2 Gp3 randomly. It returns the group 15 / 76 to the attacker. It responds to a ciphertext-type query, a challenge HIBE-key-type query and a challenge decryption-key-type query in the same way as O0. Oracle O2 The next oracle, which we will denote by O2, responds to queries as follows. Upon receiving a challenge HIBE-key-type query and a challenge IBE-key-type query, it responds in the same way as O1. Upon receiving a ciphertext-type query for I 2 Zn, it chooses t 2 Zn randomly and returns the group elements to the attacker. Upon receiving a ciphertext-type query for T 2 Zn, it chooses t0 2 Zn randomly and returns the group elements to the attacker. It responds to a challenge decryption-key-type query in the same way as O0. Oracle O2+ The next oracle, which we will denote by O2+, responds to queries as follows. Upon receiving a challenge HIBE-key-type query and a challenge IBE-key-type query, it responds in the same way as O1+. Upon receiving a ciphertext-type query for I 2 Zn, it chooses t 2 Zn randomly and returns the group elements to the attacker. Upon receiving a ciphertext-type query for T 2 Zn, it chooses t0 2 Zn randomly and returns the group elements to the attacker. It responds to a challenge decryption-key-type query in the same way as O0. Oracle O4 The next oracle, which we will denote by O4, responds to ciphertext-type queries in the same way as O0, and responds to a challenge HIBE-key-type query for I 2 Zn, by choosing r, y0 2 Zn randomly and returns the group elements wy0 …g2g3†y0c1 ; gy0 …g2g3†y0 ; vy0 …g2g3†y0s1 …uIh†r; gr† to the attacker. Upon receiving a challenge IBE-key-type query for T 2 Zn, it chooses r0, y00 2 Zn randomly and returns the group elements wy000 …g2g3†y00c2 ; gy00 …g2g3†y00 ; v0y00 …g2g3†y00s2 …u0T h0†r0 ; gr0 † to the attacker. It responds to a challenge decryption-key-type query in the same way as O0. Oracle O5 The next oracle, which we will denote by O5, responds to queries as follows. Upon receiving a challenge decryption-key-type query for I, T 2 Zn, it chooses r, y0, r0, y00 2 Zn randomly, and also chooses X2; Y2; X20; Y20 2 Gp2 ; X3; Y3; X30; Y30 2 Gp3 randomly. It returns the group elements …wy0 ; gy0 ; vy0 …uIh†rX2X3; grY2Y3; wy000 ; gy00 ; v0y00 …u0T h0†r0 X20X30; gr0 Y0 Y0 † 2 3 …17† to the attacker. It responds to a ciphertext-type query and a challenge (H)IBE-key-type query in the same way as O4. Oracle O6 The next oracle, which we will denote by O6, responds to queries as follows. Upon receiving a ciphertext-type query for I 2 Zn, it chooses t 2 Zn randomly and returns the group elements …14† …15† …16† …18† …19† 16 / 76 elements to the attacker. Upon receiving a ciphertext-type query for T 2 Zn, it chooses t0 2 Zn randomly and returns the group elements to the attacker. It responds to a decryption-type query and a challenge (H)IBE-key-type query in the same way as O5. Oracle O7 The last oracle, which we will denote by O7, responds to ciphertext-type queries in the same way as O0, and responds to a challenge decryption-key-type query for I, T 2 Zn, by choosing r, y0, r0, y00 2 Zn randomly and returns the group elements wy0 …g2g3†y0c1 ; gy0 …g2g3†y0 ; vy0 …g2g3†y0s1 …uIh†r; gr; wy000 …g2g3†y00c2 ; gy00 …g2g3†y00 ; v0y00 …g2g3†y00s2 …u0T h0†r0 ; gr0 † to the attacker. It responds to a challenge (H)IBE-key-type query in the same way as O6. We define the advantage of an attacker A in distinguishing between Oi and Oj to be jPr‰A…Oi† ˆ 1Š Pr‰A…Oj† ˆ 1Šj. Here, we assume that A interacts with either Oi or Oj, and then outputs a bit 0 or 1 encoding its guess of which oracle it interacted with. 4.4 Indistinguishability of GC0 and GSF00 4.4.1 Strategy for the indistinguishability of GC0 and GSF00. For the proof of the indistin guishability of GC0 and GSF0, we cannot use the simple nested dual system in U-HIBE [11] that change a normal private key(or normal update key) to an ephemeral semi-fuctional private key(or semi-functional update key) one by one since the adversary of RHIBE can query a private key for ID|k 2 Prefix(ID |l) and an update key for T . To solve this problem, we firstly use a modular design strategy like [13] and construct the private keys and update keys from smaller component keys. A secret key SKID|k consists of many HIBE private keys which are represented as {SKHIBE,Sθ}Sθ2Path and an update key UKID|k−1,T,R consists a randomized decryption key RSKHIBE and many IBE private keys {SKIBE,Si}Si2CVR where each HIBE private key (or an IBE private key) is associated with a node Sj in BTID|k−1. The HIBE and IBE private keys can be grouped together if they are related to the same node Sj in BTID|k−1 and a correct decryption key is constructed form the grouped (H)IBE private key. To uniquely identify a node Sj 2 BTID|k−1, we define a node identifier NID of this node as a string ID|k−1||Lj where Lj = Label(vj). To prove the indistinguishability of GC0 and GSF00, we change normal HIBE private keys and normal IBE private keys that are related to the same node identifier NID into (ephemeral) semi-functional keys by defining additional hybrid games. This additional hybrid games are performed for all node identifiers that are used in the key queries of the adversary. Secondly, we give the equivalent model in which the challenger B answers the secret (update, and decryption) key queries of the adversery A by requesting the associated (H)IBE private keys from an oracle simulator O, shown in Fig 1. When the adversary A queries B for the secret key, update key or decryption key for some identity and some time period, B constructs the key by the (H)IBE-challenge-key or decryption-challenge-key it queries from the oracle simulator O. O adaptively answers B the corresponding group elements which it constructs by using the public paremeters given by some complexity assumption. Therefore, under the complexity assumptions, the oracle Oi that O chooses to answer B is indistinguishable and consequently the adversary A cannot distinguish whether A is playing the real RHIBE game or other variation games based on all the answers A recieves after the adaptive queries to B. For additional hybrid games that change HIBE private keys (or IBE private keys) that are related to the same node identifier NID = ID|k−1||Lj from normal keys to semi-functional keys, Fig 1. The query process in the proof of the indistinguishability of GC0 and GSF0. The group elements that the oracle simulator gives to the challenger B are not only the public parameters PPHIBE and PPIBE, but also the group elements for constructing the (ephemeral) semi-functional keys and ciphertexts and the public elements given by the assumptions. 17 / 76 we need to define an index pair (in, ic) for an HIBE private key (or an IBE private key) that is related to the node vj 2 BTID|k−1 where in is a node index and ic is a counter index. Suppose that an HIBE private key (or an IBE private key) is related to a node NID. The node index in for the HIBE private key (or the IBE private key) is assigned as follows: If the node vj 2 BTID|k−1 with a node identifier NID appears first time in key queries, then we set in as the number of distinct node identifiers in previous key queries plus one. If the node identifier NID already appeared before in key queries, then we set in as the value i0n of previous HIBE private key (or IBE private key) with the same node identifier. The counter index ic of an HIBE private key is assigned as follows: If the node identifier NID appears first time in HIBE private key queries, then we set ic as one. If the node identifier NID appeared before in HIBE private key queries, then we set ic as the number of HIBE private keys with the same node identifier that appeared before plus one. Similarly, we assigns the counter index ic of an IBE private key. Thirdly, we divide the behavior of an adversary as two types: Type-1 and Type-2. We next show that the semi-functional key invariance property holds for two types of the adversary. Let IDl be the challenge hierarchical identity and T be the challenge time. For a challenge node v with the node index h in the hybrid games from GameC and GameSF, the adversary types are formally defined as follows: 1. Type-1: An adversary is Type-1 if it queries on a hierarchical identity IDjk 2= Prefix…IDl † for all HIBE private keys with the node index h, and it queries on time T = T for at least one IBE private key with the node index h. 2. Type-2: An adversary is Type-2 if it queries on time T 2= T for all IBE private keys with the node index h. Note that it may query on a hierarchical identity ID|k 2 Prefix(ID |l) for at least one HIBE private key with h, or it may query on a hierarchical identity IDjj 2= Prefix…IDl † for all HIBE private keys with h. We prove our dual system encryption RHIBE scheme via a hybrid argument over the sequence of games in Table 3. For the different type of adversary, the squence of games is basicly the same except that: 1. For the Type-1 adversary, we prove the indistinguishability of GC0 and GESF0 by the transition from GC0 to GEK−S, and to GESF0 without the attacker's advantage changing by a nonnegligible amount. 2. For the Type-2 adversary, we prove the indistinguishability of GC0 and GESF0 by the transition from GC0 to GEK−U, and to GESF0 without the attacker's advantage changing by a nonnegligible amount. Theorem 2 Under Assumptions 3 and 4, our dual system encryption RHIBE scheme has the equation jAdvAGC0 …l† AdvAGSF00 …l†j …O…qnlogNmax† ‡ O…qnrmaxlogNmax††…AdvBA3 ‡ AdvBA4† ‡O…l†…AdvBA3 ‡ AdvBA4† We will prove these indistinguishabilities between games GC0, GE−S (or GE−U), GE−S0 (or GE−U0), GESF0, and GSF00 by going through several intermediary oracles. The main properties of our oracles are summarized in Tables 4 and 5 for the Type-1 adversary and Table 6 for the Type-2 adversary respectively. We intend these tables to be used only as a quick reference guide, not as a definition. We give a complete proof for the Type-1 adversary, and a brief explanation of the proof for the Type-2 adversary is demonstrated then. …20† 18 / 76 Note: oracles marked with ² initialize with an extra Gp3 term on gsg2g. 4.4.2 Type-1 adversary. As defined before, the Type-1 adversary is restricted to queries on a hierarchical identity IDjk 2= Prefix…IDl †. By quering for all HIBE private keys with any node index h where the node is on the path from the root to the leaf node vID|k in the tree BTID|k−1, the adversary derives the secret key of ID|k. So we could show an information theoretic argument for the HIBE private keys from normal to ephemeral semi-functional HIBE keys, then to semi-functional HIBE keys. At the Normal Challenge Ciphertext SF ESF − 1 Note: oracles marked with ² initialize with an extra Gp3 term on gsg2g. meanwhile, by adaptively transforming the types of IBE private keys sooner or later than the transformation of HIBE private keys, we avoid a potential paradox for the update keys. From the flollowing Lemma 1, to Lemma 20, we obtain the advantage of Type-1 adversary to distinguish between GC0 and GSF00 under Type-1 adversary as AdvAGC0 AdvAGSF00 jAdvAGC0 AdvAGE S j ‡ jAdvAGE S AdvAGE S0 j ‡ jAdvAGE S0 AdvAGESF0 j ‡ jAdvAGESF0 AdvAGSF00 j …O…qn…qs ‡ qe†† ‡ O…l††…AdvBA3 ‡ AdvBA4† …O…qnlogNmax ‡ qnrmaxlogNmax† ‡ O…l††…AdvBA3 ‡ AdvBA4† …21† We give the proof of those lemmas in Appendix.B. (1) Indistinguishability of GC0 and GE−S For the security proof of the indistinguishability of GC0 and GE−S, we define a sequence of additional hybrid games GC0,1, . . ., GC0,h, . . ., GC0,qn, where GC0 = GC0,0 and qn is the number of all node identifiers that are used in HIBE private keys and IBE private keys of an adversary. In the game GC0,h for 1 h qn, the challenge ciphertext is semi-functional, all IBE private keys are normal, HIBE private keys with a node index in h are of ESF-2, the remaining HIBE private keys with a node index in > h are normal. Oracle O1/2 This oracle initializes in the same way as O0, O1 and provides the attacker with initial group elements from the same distribution. Upon receiving a challenge HIBE-key-type 20 / 76 1. ic < hc: It randomly chooses y0, ; j 0 It implicitly sets gr0 to be X1r0 and that is a properly distribution ESF-2-UK. 2. ic = hc: B chooses random values y1, lenge key as: ; j 1g where (T0, T1, T2, T3) is the challenge IBE key queried to O who chooses a random y0 2 ZN and returns (T0, T1, T2, T3) = …wy00 ; gy0 ; v0y0 Ta0T ‡b0 ; T† to B. 3. ic > hc: It simply generates a normal IBE private key. In the challenge IBE key, it implicitly sets gr to be the Gp1 part of T. If T 2 Gp1, then this matches the distribution of O0 (since there are no Gp3 terms here), and so this will be a properly distributed normal key and B is playing Game Ehc−1,2. If T 2 Gp1p3, then this matches the distribution of O1/2 (note that a, b modulo p2 are uniformly random and do not occur elsewhere- so there are random Gp3 terms attached to the last two group elements) and then B is playing Game Ehc,1. Hence, if a PPT attacker can distinguish between Ehc−1,2 and Ehc,1 with non-negligible advantage, O can distinguish between O2 and O5/2 with non-negligible advantage. It means O can gain a non-negligible advantage against Assumption 3. Thus, Under Assumptions 3, no PPT attacker can distinguish between O2 and O5/2 with non-negligible advantage. Thus, no PPT attacker can distinguish between Ehc−1,2 and Ehc,1 with non-negligible advantage. Lemma 7 Under Assumptions 4, no PPT attacker can distinguish between O5/2 and O3 with non-negligible advantage. So no PPT attacker can distinguish between Ehc,1 and Ehc,2 with nonnegligible advantage. Proof We assume B interacts with one of O1/2, and O1. O receives g, g3, X1 X2, Y2 Y3, T. O will simulate either O1/2 or O1 with B, depending on the value of T (which is either in G or Gp1p3). O picks values a, b, c, d, a0, b0, c0, d0 2 ZN uniformly at random and sets u = ga, h = gb, v = gc, w = gd, u0 ˆ ga0 , h0 ˆ gb0 , v0 ˆ gc0 , w0 ˆ gd0 . B initially obtains the group elements in Eq 84 g; u; h; v; w; X1X2; wy…Y2Y3†yc; gy…Y2Y3†y; vy…Y2Y3†ys; u0; h0; v0; w0; wy00 …Y2Y3†y0c; gy0 …Y2Y3†y0 ; v0y0 …Y2Y3†y0s from its oracle simulator, and gives A the public parameters in Eq 83. When A requests the challenge ciphertext for messages M0, M1, identity vector …I1 ; and T , B makes a ciphertext-type query to the oracle for each Ii and T . When B makes a ciphertext-type query for some identity I , O responds by choosing a random t 2 ZN and ; Il † 55 / 76 returning …wsg2d1 vtgs1t; gtg2t ; …uI h†tg2t…a0I ‡b0†† to B as same as Eq 10. When B makes a ciphertext2 type query for some time T , O responds by choosing a random t0 2 ZN and returning …ws0g2d2 v0t0 g2s2t0 ; gt0 g2t0 ; …u0T h0†t0 gt0…a0T ‡b0†† as same as Eq 11 to B. Then B creats the ESF-1 cipher2 texts successfully. When A requests the secret key of an identity vector ID|j = (I1, , Ij), B creats the ESF2-SK key by the HIBE-type query response from O and the secret key for ID|j in some node θ is Si;0 ˆ gli wyi ; Si;1 ˆ gyi ; Si;2 ˆ gri ; Si;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g Sj;0 ˆ ggy Pj 1 iˆ1 li wyj ; Sj;1 ˆ gyj ; Sj;2 ˆ vyj …X1X2†rj0…aIj‡b†g3z; Sj;3 ˆ …X1X2†rj0 gz0 3 where y1, , yj, l1; ; lj 1; r1; ; rj 1; rj0; z; z0 2 Zn are randomly chosen. When B creats the IBE private key with the index pair (h, ic) for a time T in the index h node in the binary tree BTID|j = (I1, , Ij−1), the update key with an index pair (h, ic) is generated as follows: 1. ic < hc: B chooses random values y1, a ESF-2 TUKIBE,h. Ui;0 ˆ gli wyi ; Ui;1 ˆ gyi ; Ki;2 ˆ gri ; Ui;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g 2. ic = hc: B chooses random values y1, lenge key as: Ui;0 ˆ gli wyi ; Ui;1 ˆ gyi ; Ui;2 ˆ gri ; Ui;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g where (T0, T1, T2, T3) is the challenge IBE key queried to O who chooses a random y0 2 ZN and returns (T0, T1, T2, T3) = …wy00 ; gy0 ; vy0 Ta0T‡b0 ; T† to B. 3. ic > hc: It simply generates a normal HIBE private key. As in the previous lemma, this implicitly sets gr0 to be the Gp1 part of T in the challenge IBE key. We note that a0, b0 modulo p2, p3 are uniformly random and do not appear elsewhere. Thus, when T 2 Gp1p3, these last two terms will have random elements of Gp3 attached (matching the distribution of O5/2) and then B is playing Game Ehc,1. And when T 2 G, these last two terms will have random elements in both Gp3 and Gp2 attached (matching the distribution of O3) and then B is playing Game Ehc,2. Hence, if a PPT attacker can distinguish between Ehc,1 and Ehc,2 with non-negligible advantage, O can distinguish between O5/2 and O3 with non-negligible advantage. It means O can gain a non-negligible advantage against Assumption 4. Thus, Under Assumptions 4, no PPT attacker can distinguish between O5/2 and O3 with non-negligible advantage. Thus, no PPT attacker can distinguish between Ehc,1 and Ehc,2 with non-negligible advantage. 56 / 76 Lemma 8 Under Assumptions 3, no PPT attacker can distinguish between O3 and O3.1 with non-negligible advantage. So no PPT attacker can distinguish between Fhc−1 and Fhc with nonnegligible advantage. Proof We assume B interacts with one of O3, O3.1. O receives g, g2, X1 X3, Y1 Y3, T. O will simulate either O0 or O1/2 with B, depending on the value of T (which is either in Gp1 or Gp1 p3). O picks values a, b, c, d, a0, b0, c0, d0 2 ZN uniformly at random and sets u = ga, h = gb, v = gc, w = gd, u0 ˆ ga0 , h0 ˆ gb0 , v0 ˆ gc0 , w0 ˆ gd0 . B initially obtains the group elements in Eq 82 g†d0y00 ; …g†y00 ; …g†c0y00 …X1X3†…a0T‡b0†r0 g2r1 ; …X1X3†r0 g2r2 † to B. And then B creats the ESF-2 update key by using the group elements. When B creats the HIBE private key with the index pair (h, ic) for some identity vector (I1, , Ij) in the index h node, the HIBE private key with an index pair (h, ic) is generated as follows: 1. ic < hc: It randomly chooses y1; ates a ESF-3-SK PSKHIBE,h. ; yj 1; yj0, l1; Ki;0 ˆ gli wyi ; Ki;1 ˆ gyi ; Ki;2 ˆ gri ; Ki;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g Kj;0 ˆ ggy Pjiˆ11 li …X1X3†dyj0 ; Kj;1 ˆ …X1X3†yj0 ; Kj;2 ˆ …X1X3†cyj0 …X1X3†rj0…aIj‡b†g2z; Kj;3 ˆ …X1X3†rj0 gz0 2 y0 r0 It implicitly sets gyj to be X1j and grj to be X1j and that is a properly distribution ESF-3-SK. 2. ic = hc: B chooses random values y1, lenge key as: Ki;0 ˆ gli wyi ; Ki;1 ˆ gyi ; Ki;2 ˆ gri ; Ki;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g Kj;0 ˆ ggy where (T0, T1, T2, T3) is the challenge HIBE key queried to O who chooses a random r, r1, r2 2 ZN and returns (T0, T1, T2, T3) = …Td; T; Tc…X1X3†r…aI‡b†g2r1 ; …X1X3†rg2r2 † to B. 57 / 76 3. ic > hc: It randomly chooses y1, Ki;0 ˆ gli wyi ; Ki;1 ˆ gyi ; Ki;2 ˆ gri ; Ki;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g Pj 1 iˆ1 li wyj ; Kj;1 ˆ gyj ; Kj;2 ˆ vyj …X1X3†rj0…aIj‡b†g2z; Kj;3 ˆ …X1X3†rj0 gz0 2 r0 It implicitly sets grj to be X1j and that is a properly distribution ESF-2-SK. In the challenge HIBE key, it implicitly sets gy0 to be the Gp1 part of T. If T 2 Gp1, then this matches the distribution of O3 (since there are no Gp3 terms here), and so this will be a properly distributed normal key and B is playing Game Fhc−1. If T 2 Gp1p3, then this matches the distribution of O3.1 (note that a, b modulo p2 are uniformly random and do not occur elsewhereso there are random Gp3 terms attached to the last two group elements) and then B is playing Game Fhc. Hence, if a PPT attacker can distinguish between Fhc−1 and Fhc with non-negligible advantage, O can distinguish between O3 and O3.1 with non-negligible advantage. It means O can gain a non-negligible advantage against Assumption 3. Thus, Under Assumptions 3, no PPT attacker can distinguish between O3 and O3.1 with non-negligible advantage. Thus, no PPT attacker can distinguish between Fhc−1 and Fhc with non-negligible advantage. Lemma 9 Under Assumptions 3, no PPT attacker can distinguish between O3.1 and O3.2 with non-negligible advantage. So no PPT attacker can distinguish between F1hc−1 and F1hc with nonnegligible advantage. Proof The proof of this lemma is almost the same as that of Lemma 8 except the generation of secret keys and update keys. Upon receiving a challenge HIBE-key-type query for I 2 Zn, O chooses r1, r2, r0, y00 2 Zn randomly and returns the group elements X1X3†dy00 ; …X1X3†y00 ; …X1X3†cy00 …X1X3†…aI‡b†r0 g2r1 ; …X1X3†r0 g2r2 † to B. And then B creats the ESF-3 update key by using the group elements. When B creats the IBE private key with the index pair (h, ic) for some identity vector (I1, , Ij−1) and the time T in the index h node, the IBE private key with an index pair (h, ic) is generated as follows: ; yj 1; y00, l1; ; rj 1; r00; z; z0 2 Zn and gener1. ic < hc: It randomly chooses y1; ates a ESF-3-UK EUKIBE,h. Ui;0 ˆ gli wyi ; Ui;1 ˆ gyi ; Ui;2 ˆ gri ; Ui;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g 0 0 It implicitly sets gy0 to be X1y0 and gr0 to be X1r0 and that is a properly distribution ESF-3-UK. 58 / 76 Ui;0 ˆ gli wyi ; Ui;1 ˆ gyi ; Ui;2 ˆ gri ; Ui;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g where (T0, T1, T2, T3) is the challenge IBE key queried to O who chooses a random r, r1, r2 2 ZN and returns (T0, T1, T2, T3) = …Td0 ; T; Tc0 …X1X3†r…a0T‡b0†g2r1 ; …X1X3†rg2r2 † to B. 3. ic > hc: It randomly chooses y1, ESF-2-UK EUKIBE,h. Pj 1 iˆ1 li w†y0 ; U0;1 ˆ gy0 ; U0;2 ˆ v0y0 …X1X3†r00…a0T‡b0†g2z; U0;3 ˆ …X1X3†rj0 gz0 2 Ui;0 ˆ gli wyi ; Ui;1 ˆ gyi ; Ui;2 ˆ gri ; Ui;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g 0 It implicitly sets gr0 to be X1r0 and that is a properly distribution ESF-2-UK. In the challenge IBE key, it implicitly sets gy0 to be the Gp1 part of T. If T 2 Gp1, then this matches the distribution of O3.1 (since there are no Gp3 terms here), and so this will be a properly distributed normal key and B is playing Game F1hc−1. If T 2 Gp1p3, then this matches the distribution of O3.2 (note that a, b modulo p2 are uniformly random and do not occur elsewhere- so there are random Gp3 terms attached to the last two group elements) and then B is playing Game F1hc. Hence, if a PPT attacker can distinguish between F1hc−1 and F1hc with non-negligible advantage, O can distinguish between O3.1 and O3.2 with non-negligible advantage. It means O can gain a non-negligible advantage against Assumption 3. Thus, Under Assumptions 3, no PPT attacker can distinguish between O3.1 and O3.2 with non-negligible advantage. Thus, no PPT attacker can distinguish between F1hc−1 and F1hc with non-negligible advantage. Lemma 10 Under Assumptions 4, no PPT attacker can distinguish between O3.2 and O3.3 with non-negligible advantage. So no PPT attacker can distinguish between GESF0−2 and GESF0−3 with non-negligible advantage. Proof We assume B interacts with one of O3.2, O3.3. O receives g, g2, X1 X3, Y2 Y3, T. O will simulate either O3.2 or O3.3 with B, depending on the value of T (which is either in G or Gp1p2). O picks values a, b, c, d, a0, b0, c0, d0 2 ZN uniformly at random and sets u = ga, h = gb, v = gc, w = gd, u0 ˆ ga0 , h0 ˆ gb0 , v0 ˆ gc0 , w0 ˆ gd0 . It chooses random values σ1, σ2, y, y0, t3, z 2 ZN and then B initially obtains the group elements g; u; h; v; w; T; wy…Y2Y3†d; gy…Y2Y3†; vy…Y2Y3†s1 u0; h0; v0; w0; wy00 …Y2Y3†zd0 ; gy0 …Y2Y3†z; v0y0 …Y2Y3†s2 We note that this sets ψ1 = d modulo p2 and p3. It implicitly sets gs to be the Gp1 part of T. If T 2 Gp1p2, this is distributed identically to the initial elements provided by O3.2. If T 2 G, this is distributed identically to the initial elements provided by O3.3. …86† 59 / 76 Upon receiving a challenge IBE-key-type query for T 2 Zn, O chooses r1, r2, r0, y00 2 Zn randomly and returns the group elements g; u; h; v; w; gs…Y2Y3†g; wy…Y2Y3†d; gyY2Y3; vyY2Y3c u0; h0; v0; w0; wy00 …Y2Y3†zd0 ; gy0 Y2Y3z; v0y0 Y2Y3zc0 …87† from its oracle simulator who additionally chooses s, γ, y, y0, z 2 ZN randomly. We note that this is properly distributed and set ψ1 = d modulo p2 and p3, ψ2 = d0 modulo p2 and p3 and σ1 = c modulo p2 and p3, σ2 = c0 modulo p2 and p3. When A requests the challenge ciphertext for messages M0, M1, identity vector …I1 ; ; Il † and T , B makes a ciphertext-type query to the oracle for each Ii and T . When B makes a ciphertext-type query for some identity I , O responds by choosing a random t 2 ZN and returning …ws…Y2Y3†d1 …X1X2†ct0 ; …X1X2†t0 gt3 ; …X1X2†aI ‡bg3t30 † to B. When B makes a ciphertexttype query for some time T , O responds by choosing a random t0 2 ZN and returning 0 …ws0…Y2Y3†d2 …X1X2†c0t0 ; …X1X2†t0 gt3 ; …X1X2†a0T ‡b0 g3t3 † to B. This implicitly sets gt ˆ X1t0 . It also sets a0 = a and b0 = b modulo p2 or a0 = a0 and b0 = b0 modulo p2, which are properly distributed because a, b modulo p2 and a0, b0 modulo p2 do not appear elsewhere. Then B creats the ESF-5 ciphertexts successfully. Upon receiving a challenge IBE-key-type query for T 2 Zn, O chooses r, y0, z 2 Zn randomly and returns the group elements wy00 g3y0c; gy0 g3y0 ; gr…Y2Y3†; v0y0 …u0T h0†r…Y2Y3†z† to B. And then B creats the ESF-3 update key by using the group elements. When B creats the HIBE private key with the index pair (h, ic) for some identity vector (I1, , Ij) in the index h node, the HIBE private key with an index pair (h, ic) is generated as follows: 60 / 76 1. ic < hc: It randomly chooses y1, 4-SK PSKHIBE,h. ; j 2. ic = hc: B chooses random values y1, lenge key as: Ki;0 ˆ gli wyi ; Ki;1 ˆ gyi ; Ki;2 ˆ gri ; Ki;3 ˆ …uIj h†ri vyi ; i 2 f1; ; j 1g Ki;0 ˆ gli wyi ; Ki;1 ˆ gyi ; Ki;2 ˆ gri ; Ki;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g In the challenge HIBE key, it implicitly sets gy0 to be the Gp1 part of T. If T 2 Gp2p3, then this matches the distribution of O3.3, and so this will be a properly distributed normal key and B is playing Game F3hc−1. If T 2 G, then this matches the distribution of O3.4 and then B is playing Game F3hc. Hence, if a PPT attacker can distinguish between F3hc−1 and F3hc with non-negligible advantage, O can distinguish between O3.3 and O3.4 with non-negligible advantage. It means O can gain a non-negligible advantage against Assumption 4. Thus, Under Assumptions 4, no PPT attacker can distinguish between O3.3 and O3.4 with non-negligible advantage. Thus, no PPT attacker can distinguish between F3hc−1 and F3hc with non-negligible advantage. Lemma 12 Under Assumptions 4, no PPT attacker can distinguish between O3.4 and O3.5 with non-negligible advantage. So no PPT attacker can distinguish between GESF0−4 and GESF0−5 with non-negligible advantage. Proof The proof of this lemma is almost the same as that of Lemma 11 except the generation of secret keys and update leys. Upon receiving a challenge HIBE-key-type query for I 2 Zn, O chooses r, y0, z, z0 2 Zn randomly and returns the group elements wy0 …Y2Y3†y0c; gy0 …Y2Y3†y0 ; gr…Y2Y3†z; vy0 …uIh†r…Y2Y3†z0 † to B. And then B creats the ESF-4 secret key by using the group elements. 61 / 76 1. ic < hc: It randomly chooses y1, ESF-4-UK TUKIBE,h. Ui;0 ˆ gli wyi ; Ui;1 ˆ gyi ; Ui;2 ˆ gri ; Ui;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g That is a properly distribution ESF-4-UK. 2. ic = hc: B chooses random values y1, lenge key as: Ui;0 ˆ gli wyi ; Ui;1 ˆ gyi ; Ui;2 ˆ gri ; Ui;3 ˆ …uIj h†ri vyi ; i 2 f1; ; j 1g where (T0, T1, T2, T3) is the challenge IBE key queried to O who chooses a random r, r1, r2 2 ZN and returns (T0, T1, T2, T3) = …Td0 ; T; Tc0 …u0T h0†r…Y2Y3†r1 ; gr…Y2Y3†r2 † to B. 3. ic > hc: It randomly chooses y0, y1, ESF-3-UK TUKIBE,h. 0 U0;3 ˆ grj …Y2Y3†z Ui;0 ˆ gli wyi ; Ui;1 ˆ gyi ; Ui;2 ˆ gri ; Ui;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g That is a properly distribution ESF-3-UK. In the challenge IBE key, it implicitly sets gy0 to be the Gp1 part of T. If T 2 Gp2p3, then this matches the distribution of O3.4, and so this will be a properly distributed normal key and B is playing Game F4hc−1. If T 2 G, then this matches the distribution of O3.5 and then B is playing Game F4hc. Hence, if a PPT attacker can distinguish between F4hc−1 and F4hc with non-negligible advantage, O can distinguish between O3.4 and O3.5 with non-negligible advantage. It means O can gain a non-negligible advantage against Assumption 4. Thus, Under Assumptions 4, no PPT attacker can distinguish between O3.4 and O3.5 with non-negligible advantage. Thus, no PPT attacker can distinguish between F4hc−1 and F4hc with non-negligible advantage. Lemma 13 Under Assumptions 4, no PPT attacker can distinguish between O3.5 and O3.6 with non-negligible advantage. So no PPT attacker can distinguish between GESF0−5 and GESF0−6 with non-negligible advantage. Proof We assume B interacts with one of O3.5, O3.6. O receives g, g2, X1 X3, Y2 Y3, T. O will simulate either O3.5 or O3.6 with B, depending on the value of T (which is either in G or Gp1p2). O picks values a, b, c, d, a0, b0, c0, d0 2 ZN uniformly at random and sets u = ga, h = gb, v = gc, 62 / 76 w = gd, u0 ˆ ga0 , h0 ˆ gb0 , v0 ˆ gc0 , w0 ˆ gd0 . B initially obtains the group elements g; u; v; w; T; wy…Y2Y3†d; gy…Y2Y3†; vy…Y2Y3†1s; u0; v0; w0; wy00 …Y2Y3†d0 ; gy0 …Y2Y3†z; v0y0 …Y2Y3†s2 …88† from its oracle simulator where z, y0, y, σ1, σ2 2 Zp are randomly chosen. We note that this set ψ = d modulo p2 and p3. If T 2 Gp1p2, then this matches the initial elements provided by O3.6. If T 2 G, then this matches the initial elements provided by O3.5. It chooses α 2 Zn randomly, and gives A the following public parameters in Eq 83. We note that B knows the master secret key α. When A requests a normal update key or a normal decryption key, B can responds by using the usual key generation algorithm, since it knows α. When A makes a secret key query for the identity ID|j = (I1, , Ij), then B makes its challenge HIBE-key-type query for Ij, O responds as follows. It chooses y0, r, r1, r2 2 ZN randomly and responds with: X1X3g2†dy0 ; …X1X3g2†y0 ; …X1X3g2†cy0 …uIj h†r…Y2Y3†r1 ; gr…Y2Y3†r2 † And then B creats the ESF-4 secret key by using the group elements. Upon receiving a challenge IBE-key-type query for T 2 Zn, O chooses y0, r, r1, r2 2 ZN randomly and responds with: X1X3g2†d0y0 ; …X1X3g2†y0 ; …X1X3g2†c0y0 …u0T h0†r…Y2Y3†r1 ; gr…Y2Y3†r2 † to B. And then B creats the ESF-4 update key by using the group elements. When A requests the challenge ciphertext for messages M0, M1, identity vector …I1 ; ; Il † and T , B makes a ciphertext-type query to the oracle for each Ii and T . In response to each query for Ii or T , O gets random t0, t1, . . ., tl 2 Zp, chooses β 2 {0, 1} and creats the ciphertext as C ˆ Mbe…X1X3; g†a; C0 ˆ X1X3; fCi;1; Ci;2; Ci;3gliˆ0† where the ciphertext-element-group (Ci,1, Ci,2, Ci,3) is defined as follows if i > 0: and (C0,1, C0,2, C0,3) is defined as follows …TdTct3 vti g2s1ti ; Tt3 gti g2ti ; Tt3…aIi ‡b†gti…aIi ‡b†† 2 …Td0 Tc0t3 v0t0 gs2t0 ; Tt3 gt0 g2t0 ; Tt3…a0T ‡b0†gt0…a0T ‡b0†† 2 2 We note that this is very similar to the way O behaves in the proof of Lemma 12. The only difference is the g2dy0 ; g2y0 ; g2cy0 terms which have been added to the challenge key. As in the proof of Lemma 12, we have that if T 2 G, the Gp3 components of the challenge ciphertext are properly distributed as in a response from O3.5, since the value of c modulo p3 is not revealed by the challenge key-type response (it is hidden by the random term Y3r1 ). Also as in the proof of Lemma 12, we have that the Gp2 components of the ciphertext-type responses are properly distributed. Thus, if T 2 Gp1p2, O has properly simulated the responses of O3.6, and when T 2 G, O has properly simulated the responses of O3.6. Hence, if a PPT attacker can distinguish any pair between GESF0−5 and GESF0−6 with nonnegligible advantage, O can distinguish the corresponding pair between O3.5 and O3.6 with non-negligible advantage. It means O can use the output of B to achieve a non-negligible advantage against Assumption 4. 63 / 76 Thus, Under Assumptions 4, no PPT attacker can distinguish between O3.5 and O3.6 with non-negligible advantage. Thus, no PPT attacker can distinguish between GESF0−5 and GESF0−6 with non-negligible advantage. Lemma 14 Under Assumptions 4, no PPT attacker can distinguish between O3.6 and O7/20 with non-negligible advantage. So no PPT attacker can distinguish between F6i−1,2 and F6i,1 with non-negligible advantage. Proof We assume B interacts with one of O3.6 and O7/20. O receives g, g3, X1 X2, Y2 Y3, T. O will simulate either O3.6 and O7/20 with B, depending on the value of T (which is either in G or Gp1 p3). O picks values a, b, c, d, a0, b0, c0, d0 2 ZN uniformly at random and sets u = ga, h = gb, v = gc, w = gd, u0 ˆ ga0 , h0 ˆ gb0 , v0 ˆ gc0 , w0 ˆ gd0 . B initially obtains the group elements g; u; h; v; w; X1X2; wy…Y2Y3†yc1 ; gy…Y2Y3†y; vy…Y2Y3†ys1 …89† from its oracle simulator who additionally chooses ψ1, ψ2, σ1, σ2, y, y0 2 ZN randomly. These are properly distributed with gs implicitly set to be X1. When A requests the challenge ciphertext for messages M0, M1, identity vector …I1 ; ; Il † and T , B makes a ciphertext-type query to the oracle for each Ii and T . When B makes a ciphertext-type query for some identity Ii , O responds by choosing a random ti0 2 ZN and returning ……X1X2†d…X1X2†cti0 ; …X1X2†ti0…aIi ‡b†; …X1X2†ti0 † to B. When B makes a ciphertexttype query for some time T , O responds by choosing a random t0 2 ZN and returning ……X1X2†d0 …X1X2†c0t00 ; …X1X2†t00…a0T ‡b0†; …X1X2†t00 † to B. This sets X2d ˆ g2d1 and X2d0 ˆ g22 , which d is uniformly random because the value of d and d0 modulo p2 will not appear elsewhere. It t0 implicitly sets gti ˆ X1i . This is identically distributed to a response from O6 and O7/20, with a0, b0 equal to a, b modulo p2, and σ1 = c modulo p2, σ2 = c0 modulo p2. We note that this is in the only context in which the values of a, b modulo p2 appear, so this is equivalent to choosing a0, b0 independently at random. Then B creats the ESF-1 ciphertexts successfully. When A requests the secret key of an identity vector ID|j = (I1, , Ij), B creats the ESF-4-SK key by the HIBE-type query responses from O who randomly chooses y1, , yj, λ1, , λj−1, r1, , rj, z, z0 2 Zn and generates a ESF-4-SK PSKHIBE,hθ for every θ Ki;0 ˆ gli wyi ; Ki;1 ˆ gyi ; Ki;2 ˆ gri ; Ki;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g Kj;2 ˆ vyj …uIj h†rj …Y2Y3†z; Kj;3 ˆ grj …Y2Y3†z0 When B creats the IBE private key with the index pair (h, ic) for some time T for the identity vector (I1, , Ij−1) in the index h node, the update key with an index pair (h, ic) is generated as follows: 64 / 76 1. ic < hc: It randomly chooses y0, , yj−1, λ1, semi-functional update key TUKID|l,T,θh. Ui;0 ˆ gli wyi ; Ui;1 ˆ gyi ; Ui;2 ˆ gri ; Ui;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g 2. ic = hc: B chooses random values y1, lenge key as: U0;0 ˆ ga gyh Ui;0 ˆ gli wyi ; Ui;1 ˆ gyi ; Ui;2 ˆ gri ; Ui;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g where (T0, T1, T2, T3) is the challenge IBE key queried to O who chooses a random y0 2 ZN and returns (T0, T1, T2, T3) = …wy00 …Y2Y3†c2y0 ; gy0 …Y2Y3†y0 ; v0y0 …Y2Y3†s2y0 Ta0T ‡b0 ; T† to B. U0;3 ˆ v0y0 …u0T h0†r0 …Y2Y3†z0 Ui;0 ˆ gli wyi ; Ui;1 ˆ gyi ; Ui;2 ˆ gri ; Ui;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g where z, z0 2 Zp are randomly chosen. In the challenge IBE key, it implicitly sets gr to be the Gp1 part of T. We note that a0, b0 modulo p2, p3 are uniformly random and do not appear elsewhere. If T 2 Gp1p3, then this matches the distribution of O6, and so this will be a properly distributed normal key and B is playing Game F6hc−1,2. If T 2 G, then this matches the distribution of O7/20 (note random Gp3 terms attached to the last two group elements) and then B is playing Game F6hc,1. Hence, if a PPT attacker can distinguish between F6hc−1,2 and F6hc,1 with non-negligible advantage, O can distinguish between O6 and O7/20 with non-negligible advantage. It means O can gain a non-negligible advantage against Assumption 4. Thus, Under Assumptions 4, no PPT attacker can distinguish between O6 and O7/20 with non-negligible advantage. Thus, no PPT attacker can distinguish between F6hc−1,2 and F6hc,1 with non-negligible advantage. Lemma 15 Under Assumptions 3, no PPT attacker can distinguish between O7/20 and Oe qc with non-negligible advantage. So no PPT attacker can distinguish between F6i,1 and F6i,2 with nonnegligible advantage. Proof We assume B interacts with one of O7/20, and Oe qc . O receives g, g2, X1 X3, T. O will simulate either O7/20 or Oe qc with B, depending on the value of T (which is either in Gp1 or Gp1p3). O picks values a, b, c, d, a0, b0, c0, d0 2 ZN uniformly at random and sets u = ga, h = gb, 65 / 76 v = gc, w = gd, u0 ˆ ga0 , h0 ˆ gb0 , v0 ˆ gc0 , w0 ˆ gd0 . B initially obtains the group elements …90† from its oracle simulator, and gives A the public parameters in Eq 83. When A requests the challenge ciphertext for messages M0, M1, identity vector …I1 ; ; Il † and T , B makes a ciphertext-type query to the oracle for each Ii and T . When B makes a ciphertext-type query for some identity I , O responds by choosing a random t 2 ZN and returning …wsg2d1 vtgs1t; gtg2t ; …uI h†tg2t…a0I ‡b0†† to B as same as Eq 10. When B makes a ciphertext2 type query for some time T , O responds by choosing a random t0 2 ZN and returning …ws0g2d2 v0t0 g2s2t0 ; gt0 g2t0 ; …u0T h0†t0 g2t0…a0T ‡b0†† to B. Then B creats the ESF-1 ciphertexts successfully. When A requests the secret key of an identity vector ID|j = (I1, , Ij), B creats the ESF4-SK key by the HIBE-type query response from O and the secret key for ID|j in some node θ is Ki;0 ˆ gli wyi ; Ki;1 ˆ gyi ; Ki;2 ˆ gri ; Ki;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g Kj;0 ˆ ggy 1. ic < hc: It randomly chooses y00; y1; ; yj 1, λ1, ates a semi-functional update key TUKID|l,T,θh , λj−1, r0, r1, , rj−1, z, z0 2Zn and generU0;0 ˆ ga gyh U0;3 ˆ …X1X3g2†c0y00 …u0T h0†r0 Ui;0 ˆ gli wyi ; Ui;1 ˆ gyi ; Ui;2 ˆ gri ; Ui;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g 2. ic = hc: B chooses random values y1, lenge key as: , yj−1, λ1, , λj−1, r1, , rj−1 2 Zn. B forms the chalU0;0 ˆ ga gyh Ui;0 ˆ gli wyi ; Ui;1 ˆ gyi ; Ui;2 ˆ gri ; Ui;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g where (T0, T1, T2, T3) is the challenge IBE key queried to O who chooses a random y0 2 ZN and returns (T0, T1, T2, T3) = ……X1X3g2†d0y00 ; …X1X3g2†y00 ; …X1X3g2†c0y00 Ta0T‡b0 ; T). This implicitly sets gr to be the Gp1 part of T. 66 / 76 Ui;0 ˆ gli wyi ; Ui;1 ˆ gyi ; Ui;2 ˆ gri ; Ui;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g where z, z0 2 Zp are randomly chosen. In the challenge IBE key, it implicitly sets gr0 to be the Gp1 part of T. We note that a0, b0 modulo p2, p3 are uniformly random and do not appear elsewhere. If T 2 Gp1p3, then this matches the distribution of O7/20, and so this will be a properly distributed normal key and B is playing Game F6hc,1. If T 2 Gp1, then this matches the distribution of Oe qc and then B is playing Game F6hc,2. Hence, if a PPT attacker can distinguish between F6hc,1 and F6hc,2 with non-negligible advantage, O can distinguish between O7/20 and Oe qc with non-negligible advantage. It means O can gain a non-negligible advantage against Assumption 3. Thus, Under Assumptions 3, no PPT attacker can distinguish between O7/20 and Oe qc with non-negligible advantage. Thus, no PPT attacker can distinguish between F6hc,1 and F6hc,2 with non-negligible advantage. Lemma 16 Under Assumptions 3, no PPT attacker can distinguish between Oe k and Oe 0k0 with non-negligible advantage. So no PPT attacker can distinguish between S0k;1 and S0k;3 with non-negligible advantage. Proof We assume B interacts with one of Oe 00; Oe k. O receives g, g2, X1 X3, T. O will simulate k either Oe 00 or Oe k with B, depending on the value of T (which is either in Gp1 or Gp1 p3). B initially k obtains the group elements in Eq 82 g; u; h; v; w; gsg2g; …X1X3†dg2y2d; …X1X3†g2y2 ; …X1X3†cg2cy2 Ki;0 ˆ gli wyi ; Ki;1 ˆ gyi ; Ki;2 ˆ gri ; Ki;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g Kj;0 ˆ ggy Pjiˆ11 li …X1X3g2†dyj0 ; Kj;1 ˆ …X1X3g2†yj0 ; Kj;2 ˆ …X1X3†rj0 gz0 ; Kj;3 ˆ …X1X3g2†cyj0 …X1X3†rj0…aIj‡b†gz 2 2 where y1; ; yj 1; yj0, l1; ; lj 1; r1; ; rj 1; rj0; z; z0 2 Zn are randomly chosen. When A requests the update key of an identity vector ID|j = (I1, , Ij) and the ime T, B creats the UK key by the IBE-type query response from O and the secret key for ID|j in some node θ is generated as follows: O randomly chooses y00; y1; ; yj 1, λ1, , λj−1, r0, r1, , rj−1, 67 / 76 z, z0 2Zn and generates a semi-functional update key TUKID|l,T,θh Ui;0 ˆ gli wyi ; Ui;1 ˆ gyi ; Ui;2 ˆ gri ; Ui;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g When A requests the challenge ciphertext for messages M0, M1, identity vector …I1 ; ; Il † and T , B makes a ciphertext-type query to the oracle for each Ii and T . In response to each query for Ii or T , O gets random t0, t1, . . ., tl 2 Zp, chooses β 2 {0, 1} and creats the ciphertext as C ˆ Mbe…gsg2g; g†a; C0 ˆ gsg2g; fCi;1; Ci;2; Ci;3gliˆ0† where the ciphertext-element-group (Ci,1, Ci,2, Ci,3) is defined as follows: …ws0g2d2 v0t0 g2c0t0 ; …u0T h0†t0 g2…a0T ‡b0†t0 ; gt0 g2t0 †, else the element group is …wsg2d1 vti g2cti ; …uIi h†ti g2…a0Ii ‡b0†ti ; gti g2ti †. This is identically distributed to a response from O2. 2. i = k: O choses z 2 Zp randomly and responds with the ciphertext-element-group (T1, T3, T2) = …wsg2d1 Tc g2cz; Tti…aIi ‡b†g2z…a0Ii ‡b0†; Tg2z† if k > 0. Else if k = 0, O responds with …ws0g2d2 Tc0 g2c0z; Tt0…a0T ‡b0†gz…a0T ‡b0†; Tg2z†. We note that the Gp2 parts here are properly dis2 tributed, since σ1 = c modulo p2 and σ2 = c0 modulo p2. 3. i > k: The ciphertext-element-group is …wsg2d1 vti ; …uIi h†ti ; gti †. This is identically distributed to a response from O1. When T 2 Gp1 the values of a, b modulo p3 only appear in the response to the challenge keytype query, which means that the Gp3 terms on the last two group elements there are uniformly random. Also, the response to the kth ciphertext-type query is distributed exactly like a response from O2. In this case, O has properly simulated the responses of Ok and this will be a properly distributed EST-2k-CT and so B is playing Game S0k;1. When T 2 Gp1p3, we must argue that the values aI + b and aIk ‡ b appear uniformly random modulo p3: this follows by pairwise independence of aI + b as a function of I modulo p3, since we have restricted the Type-1 adversary to choose I and Ik so that I 6ˆ Ik modulo p3 and a, b modulo p3 only appear in these two values. Hence, O has produced a properly distributed EST-4k-CT and O has properly simulated the response of O0k0 in this case. So B is playing Game S0k;3. We have thus shown that O can use the output of B to achieve non-negligible advantage against Assumption 3. Hence, if a PPT attacker can distinguish any pair between S0k;3 and S0k;1 with non-negligible advantage, O can distinguish the corresponding pair between Oe 0k0 and Oe k with non-negligible advantage. It means O can use the output of B to achieve a non-negligible advantage against Assumption 3. Thus, Under Assumptions 3, no PPT attacker can distinguish between Oe 0k0 and Oe k with non-negligible advantage. Thus, no PPT attacker can distinguish between S0k;3 and S0k;1 with non-negligible advantage. 68 / 76 Lemma 17 Under Assumptions 4, no PPT attacker can distinguish between Oe 0k0 and Oe 0k with non-negligible advantage. So no PPT attacker can distinguish between S0k;3 and S0k;2 with non-negligible advantage. Proof We assume B interacts with one of Oe 0k; Oe 0k0. O receives g, g3, X1 X2, Y2 Y3, T. O will simulate either Oe 0k or Oe 0k0 with B, depending on the value of T (which is either in G or Gp1 p3). O picks values a, b, c, d, a0, b0, c0, d0 2 ZN uniformly at random and sets u = ga, h = gb, v = gc, w = gd, u0 ˆ ga0 , h0 ˆ gb0 , v0 ˆ gc0 , w0 ˆ gd0 . B initially obtains the group elements in Eq 85 g; u; v; w; X1X2; wy…Y2Y3†c; gy…Y2Y3†; vy…Y2Y3†c; u0; v0; w0; wy00 …Y2Y3†zc; gy0 …Y2Y3†z; v0y0 …Y2Y3†zc0 from its oracle simulator where z, y0, y, ψ 2 Zp are randomly chosen. When A makes a secret key query for the identity ID|j = (I1, , Ij), then B makes its challenge HIBE-key-type query for Ij, O chooses r, y0, z, z0 2 Zn randomly and returns the group elements wy0 …Y2Y3†y0c1 ; gy0 …Y2Y3†y0 ; gr…Y2Y3†z; vy0 …uIh†r…Y2Y3†z0 † to B. And then B creats the ESF-4 secret key by using the group elements. Upon receiving a challenge IBE-key-type query for T 2 Zn, O chooses r0, y0 2 Zn randomly and returns the group elements wy00 …Y2Y3†y0c2 ; gy0 …Y2Y3†y0 ; gr0 ; v0y0 …Y2Y3†y0s2 …u0T h0†r0 † to B. And then B creats the semi-functional update key by using the group elements. When A requests the challenge ciphertext for messages M0, M1, identity vector …I1 ; ; Il † and T , B makes a ciphertext-type query to the oracle for each Ii and T . In response to each query for Ii or T , O gets random t00; t10; ; tk0; tk‡1 ; tl 2 Zp, chooses β 2 {0, 1} and creats the ciphertext as C ˆ Mbe…X1X2; g†a; C0 ˆ X1X2; fCi;1; Ci;2; Ci;3gliˆ0† where the ciphertext-element-group (Ci,1, Ci,2, Ci,3) is defined as follows: 1. i < k: If i = 0, the ciphertext-element-group is else the ciphertext-element-group is ……X1X2†d0 …X1X2†c0t00 ; …X1X2†t00…a0T ‡b0†; …X1X2†t00 † X1X2†d…X1X2†cti0 ; …X1X2†ti0…aIi ‡b†; …X1X2†ti0 † This sets X2d ˆ g2d1 and X2d0 ˆ g2d2 , which is uniformly random because the value of d and d0 t0 modulo p2 will not appear elsewhere. It implicitly sets gti ˆ X1i . This is identically distributed to a response from O2, with a0, b0 equal to a, b modulo p2, and σ1 = c modulo p2, σ2 = c0 modulo p2. We note that this is in the only context in which the values of a, b modulo p2 appear, so this is equivalent to choosing a0, b0 independently at random. 2. i = k: If k = 0, the ciphertext-element-group is (T1, T3, T2) = ……X1X2†d0 Tc0 ; T…a0T ‡b0†; T†; If k > 0, the ciphertext-element-group is (T1, T3, T2) = ……X1X2†dTc; T…aIi ‡b†; T†; 69 / 76 3. i > k: The ciphertext-element-group is ……X1X2†dvti ; …uIi h†ti ; gti †. g; u; h; v; w; gsg2g; …X1X3†dg2y2d; …X1X3†g2y2 ; …X1X3†cg2cy2 from its oracle simulator. It chooses α 2 Zn randomly, and gives A the public parameters in Eq 83. B can responds by using the normal update key generation and the normal decryption key derivation algorithm, since it knows α. When A requests the secret key of an identity vector ID|j = (I1, , Ij), B creats the ESF4-SK key by the HIBE-type query response from O and the secret key for ID|j in some node θ is Ki;0 ˆ gli wyi ; Ki;1 ˆ gyi ; Ki;2 ˆ gri ; Ki;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g Kj;0 ˆ ggy where y1; ; yj 1; yj0, l1; ; lj 1; r1; ; rj 1; rj0; z; z0 2 Zn are randomly chosen. When A requests the update key of an identity vector ID|j = (I1, , Ij) and the ime T, B creats the UK key by the IBE-type query response from O and the secret key for ID|j in some node θ is generated as follows: O randomly chooses y00; y1; ; yj 1, λ1, , λj−1, r0, r1, , rj−1, 70 / 76 z, z0 2Zn and generates a semi-functional update key TUKID|l,T,θh Ui;0 ˆ gli wyi ; Ui;1 ˆ gyi ; Ui;2 ˆ gri ; Ui;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g When A requests the challenge ciphertext for messages M0, M1, identity vector …I1 ; ; Il † and T , B makes a ciphertext-type query to the oracle for each Ii and T . In response to each query for Ii or T , O gets random t0, t1, . . ., tl 2 Zp, chooses β 2 {0, 1} and creats the ciphertext as C ˆ Mbe…gsg2g; g†a; C0 ˆ gsg2g; fCi;1; Ci;2; Ci;3gliˆ0† where the ciphertext-element-group (Ci,1, Ci,2, Ci,3) is defined as follows: 1. i < k: If i = 0, O and responds with the ciphertext-element-group …ws0g2d2 v0t0 g2c0t0 ; …u0T h0†t0 g2…a0T ‡b0†t0 ; gt0 g2t0 †, else the element group is …wsg2d1 vti g2cti ; …uIi h†ti g2…a0Ii ‡b0†ti ; gti g2ti †; 2. i = k: The ciphertext-element-group is (T1, T3, T2) = …wsg2d1 Tc; Tti…aIi ‡b†; T†; 3. i > k: The ciphertext-element-group is …wsg2d1 vti ; …uIi h†ti ; gti †. We must now argue that the challenge key-type query and the kth ciphertext-type query responses are properly distributed. If T 2 Gp1, then the response to the k ciphertext type query is identically distributed to a response from O1, and the values a, b modulo p3 only appear in the response to the challenge key-type query, hence the Gp3 parts on the last two group elements here appear random in Gp3. This will be a properly distributed EST-2k−1-CT which means that the responses of O properly simulate the responses of Oe k 1 and B is playing Game 0Sk 1;1. If T 2 Gp1 p3, then we must argue that aI + b and aIk ‡ b both appear to be uniformly random modulo p3: this follows from pairwise independence of the function aI + b modulo p3, since we have restricted the Type-1 adversary to choose I and Ik so that I 6ˆ Ik modulo p3. This means that the Gp3 components on the last two group elements of the challenge key-type query response and on the k ciphertext-type query response are uniformly random in the attacker's view. In this case, O has produced a properly distributed EST-3k-CT which means that O has properly simulated the responses of Oe 0k and B is playing Game S0k;2. Hence, if a PPT attacker can distinguish any pair between S0k 1;1 and S0k;2 with non-negligible advantage, O can distinguish the corresponding pair between Oe k 1 and Oe 0k with non-negligible advantage. It means O can use the output of B to achieve a non-negligible advantage against Assumption 3. Thus, Under Assumptions 3, no PPT attacker can distinguish between Oe k 1 and Oe 0k with non-negligible advantage. Thus, no PPT attacker can distinguish between S0k 1;1 and S0k;2 with non-negligible advantage. Lemma 19 Under Assumptions 4, no PPT attacker can distinguish between Oe 0 and O7/2 with non-negligible advantage. So no PPT attacker can distinguish between Ihc−1,2 and Ihc,1 with nonnegligible advantage. 71 / 76 Proof We assume B interacts with one of Oe 0; O7=2. O receives g, g3, X1 X2, Y2 Y3, T. O will simulate either Oe 0 or O7/2 with B, depending on the value of T (which is either in G or Gp1p3). O picks values a, b, c, d, a0, b0, c0, d0 2 ZN uniformly at random and sets u = ga, h = gb, v = gc, w = gd, u0 ˆ ga0 , h0 ˆ gb0 , v0 ˆ gc0 , w0 ˆ gd0 . B initially obtains the group elements in Eq 89 g; u; h; v; w; X1X2; wy…Y2Y3†yc1 ; gy…Y2Y3†y; vy…Y2Y3†ys1 wy00 …Y2Y3†y0c2 ; gy0 …Y2Y3†y0 ; gr0 ; v0y0 …Y2Y3†y0s2 …u0T h0†r0 † 1. ic < hc: It randomly chooses y1, functional secret key TUKID|l,T,θh. , yj, λ1, Ki;0 ˆ gli wyi ; Ki;1 ˆ gyi ; Ki;2 ˆ gri ; Ki;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g Kj;0 ˆ ggyh Pj 1 iˆ1 li wyj …Y2Y3†yjc1 ; Kj;1 ˆ gyj …Y2Y3†yj ; Kj;2 ˆ grj ; Kj;3 ˆ vyj …Y2Y3†yjs1 …uIj h†rj Ki;0 ˆ gli wyi ; Ki;1 ˆ gyi ; Ki;2 ˆ gri ; Ki;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g Kj;0 ˆ ggyh Pj 1 iˆ1 li T0; Kj;1 ˆ T1; Kj;2 ˆ T3; Kj;3 ˆ T2 where (T0, T1, T2, T3) is the challenge HIBE key queried to O who chooses a random yj 2 ZN and returns (T0, T1, T2, T3) = …wyj …Y2Y3†c1yj ; gyj …Y2Y3†yj ; vyj …Y2Y3†s1yj TaIj‡b; T† to B. 72 / 76 3. ic > hc: It generates a ESF-4-SK as Ki;0 ˆ gli wyi ; Ki;1 ˆ gyi ; Ki;2 ˆ gri ; Ki;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g Pj 1 iˆ1 li …wyj …Y2Y3†c1yj ; Kj;1 ˆ gyj …Y2Y3†yj ; Kj;2 ˆ grj …Y2Y3†z; Kj;3 ˆ vyj …uIj h†rj …Y2Y3†z0 where z, z0 2 Zp are randomly chosen. In the challenge HIBE key, it implicitly sets grj to be the Gp1 part of T. We note that a, b modulo p2, p3 are uniformly random and do not appear elsewhere. If T 2 Gp1p3, then this matches the distribution of Oe 0, and so this will be a properly distributed ESF-4-SK key and B is playing Game Ihc−1,2. If T 2 G, then this matches the distribution of O7/2 (note random Gp3 terms attached to the last two group elements) and then B is playing Game Ihc,1. Hence, if a PPT attacker can distinguish between Ihc−1,2 and Ihc,1 with non-negligible advantage, O can distinguish between Oe 0 and O7/2 with non-negligible advantage. It means O can gain a non-negligible advantage against Assumption 4. Thus, Under Assumptions 4, no PPT attacker can distinguish between Oe 0 and O7/2 with non-negligible advantage. Thus, no PPT attacker can distinguish between Ihc−1,2 and Ihc,1 with non-negligible advantage. Lemma 20 Under Assumptions 3, no PPT attacker can distinguish between O7/2 and O4 with non-negligible advantage. So no PPT attacker can distinguish between Ihc,1 and Ihc,2 with non-negligible advantage. Proof We assume B interacts with one of O7/2, and O4. O receives g, g2, X1 X3, T. O will simulate either O7/2 or O4 with B, depending on the value of T (which is either in Gp1 or Gp1 p3). O picks values a, b, c, d, a0, b0, c0, d0 2 ZN uniformly at random and sets u = ga, h = gb, v = gc, w = gd, u0 ˆ ga0 , h0 ˆ gb0 , v0 ˆ gc0 , w0 ˆ gd0 . B initially obtains the group elements in Eq 90 g; u; h; v; w; gsg2g; …X1X3†dg2dy; …X1X3†g2y; …X1X3†cg2y0 ; X1X3g2†d0y00 ; …X1X3g2†y00 ; gr0 ; …X1X3g2†c0y00 …u0T h0†r0 to B. And then B creats the semi-functional update key by using the group elements. When B creats the HIBE private key with the index pair (h, ic) for the identity vector (I1, , Ij−1) in the index h node, the secret key with an index pair (h, ic) is generated as follows: 73 / 76 1. ic < hc: It randomly chooses yj0; y1; semi-functional secret key PSKID|j,θh ; yj 1, λ1, , rj, z, z0 2Zn and generates a Ki;0 ˆ gli wyi ; Ki;1 ˆ gyi ; Ki;2 ˆ gri ; Ki;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g Kj;0 ˆ ggyh Pjiˆ11 li …X1X3g2†dyj0 ; Kj;1 ˆ …X1X3g2†yj0 ; Kj;2 ˆ grj ; Kj;3 ˆ …X1X3g2†cyj0 …uIj h†rj Ki;0 ˆ gli wyi ; Ki;1 ˆ gyi ; Ki;2 ˆ gri ; Ki;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g Kj;0 ˆ ggyh where (T0, T1, T2, T3) is the challenge HIBE key queried to O who chooses a random yj0 2 ZN and returns (T0, T1, T2, T3) = ……X1X3g2†dyj0 ; …X1X3g2†yj0 ; …X1X3g2†cyj0 TaIj‡b; T). This implicitly sets grj to be the Gp1 part of T. 3. ic > hc: It generates a ESF-4-SK as Ki;0 ˆ gli wyi ; Ki;1 ˆ gyi ; Ki;2 ˆ gri ; Ki;3 ˆ …uIi h†ri vyi ; i 2 f1; ; j 1g Kj;0 ˆ ggyh where z, z0 2 Zp are randomly chosen. In the challenge HIBE key, it implicitly sets grj to be the Gp1 part of T. We note that a, b modulo p2, p3 are uniformly random and do not appear elsewhere. If T 2 Gp1p3, then this matches the distribution of O7/2, and so this will be a properly distributed normal key and B is playing Game Ihc,1. If T 2 Gp1, then this matches the distribution of O4 and then B is playing Game Ihc,2. Hence, if a PPT attacker can distinguish between Ihc,1 and Ihc,2 with non-negligible advantage, O can distinguish between O7/2 and O4 with non-negligible advantage. It means O can gain a non-negligible advantage against Assumption 3. Thus, Under Assumptions 3, no PPT attacker can distinguish between O7/2 and O4 with non-negligible advantage. Thus, no PPT attacker can distinguish between Ihc,1 and Ihc,2 with non-negligible advantage. Acknowledgments This research is supported by the project of the National Basic Research and Development Program of China (973 Program) No. 2012CB315906 and the National Key Research and Development Program 2017YFB0802301. 74 / 76 Formal analysis: Qianqian Xing, Xiaofeng Wang, Jing Tao. Funding acquisition: Baosheng Wang, Xiaofeng Wang. Investigation: Qianqian Xing, Xiaofeng Wang, Jing Tao. Methodology: Qianqian Xing, Xiaofeng Wang. Project administration: Baosheng Wang, Xiaofeng Wang. Resources: Qianqian Xing, Baosheng Wang. Supervision: Baosheng Wang. Validation: Qianqian Xing. Writing ± original draft: Qianqian Xing. Writing ± review & editing: Qianqian Xing, Xiaofeng Wang, Jing Tao. 1. Seo JH, Emura K. Efficient Delegation of Key Generation and Revocation Functionalities in Identity Based Encryption. In: CT-RSA. vol. 7779. Springer; 2013. p. 343±358. 2. Horwitz J, Lynn B. Toward hierarchical identity-based encryption. In: Advances in Cryptology-EURO CRYPT 2002. Springer; 2002. p. 466±481. 3. Seo JH, Emura K. Revocable hierarchical identity-based encryption: history-free update, security against insiders, and short ciphertexts. In: Cryptographers Track at the RSA Conference. Springer; 2015. p. 106±123. 4. Tsai TT, Tseng YM, Wu TY. RHIBE: constructing revocable hierarchical ID-based encryption from HIBE. Informatica. 2014; 25(2):299±326. https://doi.org/10.15388/Informatica.2014.16 5. Lee K. Revocable Hierarchical Identity-Based Encryption with Adaptive Security. IACR Cryptology ePrint Archive. 2016; 2016:749. 6. Seo JH, Emura K. Adaptive-ID secure revocable hierarchical identity-based encryption. In: International Workshop on Security. Springer; 2015. p. 21±38. 7. Ryu G, Lee K, Park S, Lee DH. Unbounded hierarchical identity-based encryption with efficient revocation. In: International Workshop on Information Security Applications. Springer; 2015. p. 122±133. 8. Rouselakis Y, Waters B. Practical constructions and new proof methods for large universe attributebased encryption. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM; 2013. p. 463±474. 9. Xing Q, Wang B, Wang X, Chen P, Yu B, Tang Y, et al. Unbounded Revocable Hierarchical IdentityBased Encryption with Adaptive-ID Security. In: High Performance Computing and Communications; IEEE 14th International Conference on Smart City; IEEE 2nd International Conference on Data Science and Systems (HPCC/SmartCity/DSS), 2016 IEEE 18th International Conference on. IEEE; 2016. p. 430±437. Waters B, et al. Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions. In: Crypto. vol. 5677. Springer; 2009. p. 619±636. 11. Lewko AB, Waters B. New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts. In: TCC. vol. 5978. Springer; 2010. p. 455±479. 12. Lewko AB, Waters B. Unbounded HIBE and Attribute-Based Encryption. In: Eurocrypt. vol. 6632. Springer; 2011. p. 547±567. 13. Lee K, Park S. Revocable Hierarchical Identity-Based Encryption with Shorter Private Keys and Update Keys. IACR Cryptology ePrint Archive. 2016; 2016:460. 14. Seo JH, Emura K. Revocable identity-based cryptosystem revisited: Security models and constructions. IEEE Transactions on Information Forensics and Security. 2014; 9(7):1193±1205. https://doi.org/10. 1109/TIFS.2014.2327758 15. Naor D, Naor M, Lotspiech J. Revocation and tracing schemes for stateless receivers. In: Advances in Cryptology-CRYPTO 2001. Springer; 2001. p. 41±62. 16. Boldyreva A, Goyal V, Kumar V. Identity-based encryption with efficient revocation. In: Proceedings of the 15th ACM conference on Computer and communications security. ACM; 2008. p. 417±426. 75 / 76 Watanabe Y, Emura K, Seo JH. New revocable IBE in prime-order groups: Adaptively secure, decryption key exposure resistant, and with short public parameters. In: Cryptographers Track at the RSA Conference. Springer; 2017. p. 432±449. 17. Boldyreva A , Goyal V , Kumar V . Adaptive-ID Secure Revocable Identity-Based Encryption . In: Proceedings of the 15th ACM conference on Computer and communications security . ACM; 2008 . p. 417 ± 426 . 18. Boldyreva A , Goyal V , Kumar V . Constructions o f CCA-Secure Revo cable Identity-Based Encryption . In: Proceedings of the 15th ACM conference on Computer and communications security . ACM; 2008 . p. 417 ± 426 . 19. Boldyreva A , Goyal V , Kumar V . An Efficient and Provable Secure Revocable Identity-Based Encryption Scheme . In: Proceedings of the 15th ACM conference on Computer and communications security . ACM; 2008 . p. 417 ± 426 . 20. Lee K , Lee DH , Park JH . Efficient revocable identity-based encryption via subset difference methods . Designs, Codes and Cryptography . 2017 ; 85 ( 1 ): 39 ± 76 . https://doi.org/10.1007/s10623-016-0287-3 21 . 22. Lee K , Choi SG , Lee DH , Park JH , Yung M . Self-updatable encryption: Time constrained access control with hidden attributes and better efficiency . In: International Conference on the Theory and Application of Cryptology and Information Security . Springer; 2013 . p. 235 ± 254 .


This is a preview of a remote PDF: http://journals.plos.org/plosone/article/file?id=10.1371/journal.pone.0195204&type=printable

Qianqian Xing, Baosheng Wang, Xiaofeng Wang, Jing Tao. Unbounded and revocable hierarchical identity-based encryption with adaptive security, decryption key exposure resistant, and short public parameters, PLOS ONE, 2018, DOI: 10.1371/journal.pone.0195204