An Efficient and Provable Secure Revocable Identity-Based Encryption Scheme

Revocation functionality is necessary and crucial to identity-based cryptosystems. Revocable identity-based encryption (RIBE) has attracted a lot of attention in recent years, many RIBE schemes have been proposed in the literature but shown to be either insecure or inefficient. In this paper, we propose a new scalable RIBE scheme with decryption key exposure resilience by combining Lewko and Waters’ identity-based encryption scheme and complete subtree method, and prove our RIBE scheme to be semantically secure using dual system encryption methodology. Compared to existing scalable and semantically secure RIBE schemes, our proposed RIBE scheme is more efficient in term of ciphertext size, public parameters size and decryption cost at price of a little looser security reduction. To the best of our knowledge, this is the first construction of scalable and semantically secure RIBE scheme with constant size public system parameters.


Introduction
Shamir [1] first introduced the concept of identity-based public key cryptography (ID-PKC) where a public key can be an arbitrary string such as an email address or a telephone number, while the corresponding private key can only be generated by a private key generator (PKG) who has the knowledge of the master secret. The first secure and practical identity-based encryption (IBE) scheme was proposed by Boneh and Franklin [2] from bilinear pairings, which is proved to be semantically secure against adaptive chosen ciphertext attack (IND-ID-CCA) under the Decisional Bilinear Diffie-Hellman (DBDH) assumption in the random oracle model.
Boneh and Franklin's work spurred a great deal of research on IBE. One important research direction is to construct provably secure IBE schemes in the standard model, because random oracle model only provides heuristic security [3]. Canetti, Halevi, and Katz [4] defined a weaker security notion for IBE, known as selective-ID model, in which the adversary commits ahead of time to the identity that it intends to attack. Boneh and Boyen [5] proposed two efficient IBE schemes that are secure in the selective-ID model without random oracle. The first IBE construction (BB1-IBE) is based on the DBDH assumption, while the second IBE construction (BB2-IBE) is based on a non-standard Decision Bilinear Diffie-Hellman Inversion (DBDHI) assumption. Waters [6] improved BB1-IBE scheme and proposed an efficient IBE scheme which is proved to be semantically secure without random oracles under the DBDH assumption in adaptive-ID model. Gentry [7] presented an IBE scheme with short public parameters which is proved to be semantically secure without random oracles under a non-static assumption in adaptive-ID model. Waters [8] introduced a new technique called dual system encryption and proposed an IBE scheme that is proved to be semantically secure without random oracle under standard (static) assumption in adaptive-ID model. Recently, Lewko and Waters [9] gave a new dual system encryption realization of IBE from composite order bilinear groups, which is proved to be semantically secure without random oracle under the subgroup decision assumption in adaptive-ID model.
Another important research direction is to construct IBE schemes with efficient revocation. Suppose that Alice has left the organization or her private key is compromised or stolen by an adversary in some scenarios [10]. On the one hand, Alice will be withdrawn from the right of accessing the information with respect to her public key. On the other hand, Alice's private key will be revoked to prevent the adversary with her compromised private key to access confidential data encrypted under her public key. Thus, revocation functionality is necessary and crucial to publickey cryptosystems. In the public key infrastructure setting, numerous solutions have been proposed, such as periodic publication mechanisms (e.g. certificate revocation list) and online query mechanisms (e.g. online certificate status protocol). In the ID-PKC setting, however, key revocation is non-trivial. This is because a user's identity is itself a public key, thus one can not simply change her public key, as this changes her identity as well. An ideal revocation method for IBE is that a sender can generates a ciphertext as the same as that of IBE without worrying about the revocation of a receiver and only the receiver needs to check the revocation of his private key to decrypt the ciphertext.
Revocable IBE (RIBE) has attracted a lot of attention in recent years, many RIBE schemes have been proposed [2,[11][12][13][14][15]. Boneh and Franklin [2] proposed a trivial method to achieve revocation functionality for IBE (BF-RIBE for short) by representing an identity as IDET where ID is the real identity and T is a current time. Since new decryption keys are needed to be issued by the PKG for each time period, this introduces huge overheads for PKG that are linearly increased in the number of users and a secure channel is needed between PKG and users to transmit updated private key. Thus, BF-RIBE is not scalable.
Boldyreva et al. [11] proposed the first scalable RIBE scheme (BGK-RIBE for short) by combining Sahai and Waters' fuzzy IBE scheme [16] and Naor et al.'s complete subtree method [17], where the PKG's overhead increases logarithmically (instead of linearly) in the number of users. The idea of BGK-RIBE scheme consists in assigning users to the leaves of a complete binary tree. Each user is provided by PKG with a set of private keys sk ID corresponding to his/her identity ID for each node on the path from his/her associated leaf to the root of the tree via a secure channel as in IBE scheme. PKG broadcasts key updates ku T in each time period T for a set Y of nodes that contains no ancestors of revoked users and exactly one ancestor of any non-revoked one (as illustrated in Figure 1 where the nodes of Y are the squares). Then, a user assigned to leaf g is able to form an effective decryption key dk ID,T for period T if the set Y contains a node on the path from the root to g. By doing so, every update of the revocation list RL only requires PKG to perform logarithmic work in the overall number of users and no secure channel is required between PKG and users. The size of users' private keys also logarithmically depends on the maximal number of users.
Another idea of BGK-RIBE scheme consists in applying fuzzy IBE primitive. In fuzzy IBE systems, identities are regarded as sets of descriptive attributes instead of a single identity string in IBE systems, and a user with private key for the attribute setṽ v is able to decrypt a ciphertext encrypted for an attribute setṽ v 0 if and only ifṽ v andṽ v 0 have an overlap of at least d attributes. The BGK-RIBE scheme uses a special kind of fuzzy IBE where ciphertexts are encrypted using the receiver's identity and the period number as ''attributes''. The decryption key of the receiver has to match both attributes to decrypt the ciphertext. For each node on the path from the root to its assigned leaf, the user is given a key attribute that is generated using a new polynomial with degree 1 for which the constant term is always the master secret. The same polynomials are used, for each node, to generate key updates. To compute a decryption key for period T, each user thus needs to combine two key attributes associated with the same node of the tree. Since there is no adaptive-ID secure fuzzy IBE scheme in the literature, BGK-RIBE scheme [11] is only proved to be secure in selective-ID model.
Later, Libert and Vergnaud [12] proposed the first adaptive-ID secure scalable RIBE scheme (LV-RIBE for short) based on same idea as BGK-RIBE scheme, but, instead of using fuzzy IBE scheme, they applied the idea of two-level hierarchial IBE scheme (HIBE for short). They use adaptive-ID secure Libert and Vergnaud's black-box accountable authority IBE scheme [18] in the first level to handle user's long term private keys (associated with identities), and use selective-ID secure Boneh and Boyen's BB1-IBE scheme [5] in the second level to handle decryption keys (associate with time periods). Seo and Emura [13] refined the security model of RIBE by considering the decryption key exposure attacks, and proposed a scalable RIBE scheme (SE-RIBE for short) with decryption key exposure resistance based on same idea as LV-RIBE scheme. Seo and Emura use adaptive-ID secure Waters IBE scheme [6] in the first level to handle user's long term private keys, and use selective-ID secure BB1-IBE scheme [5] in the second level to handle decryption keys. Recently, Park et al. [14] proposed a scalable RIBE scheme with shorter private key and update key by using multilinear maps, but the size of the public parameters is dependent to the number of users. Lee et al. [15] presented a new technique for RIBE that uses the subset difference method instead of using the complete subtree method to improve the size of update keys.
Existing adaptive-ID secure scalable RIBE constructions are built on combining two-level HIBE schemes and complete subtree method, and proved security with partition strategy in which the space of identities is partitioned into the set of identities for which a valid secret key can be simulated and those for which a valid challenge ciphertext can be simulated.
In this paper, we propose an efficient adaptive-ID secure scalable RIBE scheme by combinineg two-level Lewko and Waters HIBE scheme [9] and complete subtree method. To prove security for our RIBE scheme in adaptive-ID model, we adopt Waters dual system encryption methodology [8]. However, we can not use dual system encryption methodology directly to prove the security of RIBE schemes. This is because an adversary in RIBE schemes can issue private key query for the challenge identity ID Ã as long as ID Ã has been revoked before the challenge time T Ã , while an adversary in IBE schemes can not issue private key query for the Figure 1. Example of KUNode Algorithm. Assume that the user associated with node 9 is revoked. As figure illustrated, user assigned to leaf node 7 has subkeys of node 7, 3, 1 and root. In time period T, only user assigned to leaf node 9 is revoked, the square nodes are update nodes set outputted by the KUNode algorithm, it's obvious that this set does not contain any node on the path from node 9 to root node. doi: 10  challenge identity ID Ã . Furthermore, as stated in Seo and Emura [13], an adversary in a scalable RIBE scheme with decryption key exposure resistance may obtain not a private key sk IDÃ but a decryption key dk IDÃ,T , and ID Ã can still be alive in the system in the challenge time period T Ã =T. To make dual system encryption methodology work properly, we need to make sure that all decryption keys, including those generated by the adversary, are semi-functional in the last step. It is not a trivial job to accomplish this transformation directly. To circumvent this issue, our approach is to design semi-functional private key and semi-functional update key, and generate a semifunctional decryption key from a semi-functional private key or a semi-functional update key.
During registration, PKG assigns a user with identity ID to a leaf node g of a complete binary tree, and issues the private key sk ID for identity ID which is composed by a set of subkeys sk ID,h~f (K 1 ,K 2 ,K 3 )g h[Path(g) , wherein each subkey is associated with a node on Path (g). At time period T, PKG broadcasts the update key ku T which is composed by a set of subkeys ku T,h~f (U 1 ,U 2 ,U 3 )g h[Y , wherein each subkey is associated with a node in Y. An intuitive way to make all decryption keys be semifunctional in the last step is to transform all subkeys of all private keys or all subkeys of update keys from normal form into semifunctional form. However, similar to the security proof in Lewko and Waters' IBE scheme [9], the adversary cannot issue private key query for identities which are equal to the challenge identity ID Ã modulo p 2 , and cannot issue update key query for time periods which are equal to the challenge time T Ã modulo p 2 , namely all subkeys of these private keys and all subkeys of these update keys can not be transformed. On the one hand, if we transform either all subkeys of the corresponding private key sk ID satisfying ID=ID Ã mod p 2 or all subkeys of the corresponding update key ku T satisfying T=T Ã mod p 2 from normal form into semi-functional form independently, the resulting decryption keys dk ID,T may not be semi-functional. On the other hand, if we transform all subkeys of the corresponding update key ku T from normal form into semi-functional form, this will result in security degradation O(r log (N=r)) when rƒN=2, and security degradation about O(N{r) when rwN=2, where N is the number of users and r is the number of revoked users.
To solve the problem of security degradation, we take advantage of the special structure of complete subtree method. We do not need to transform all subkeys of sk ID that satisfy ID=ID Ã mod p 2 and all subkeys of ku T that satisfy T=T Ã mod p 2 from normal form into semi-functional form, we just need to transform subkeys of above sk ID that satisfy h[Path(g)^h 6 [ Path(g Ã ), and subkeys of above ku T that satisfy and h'[Y^h'[Path (g Ã ) from norm form into semi-functional form, where g and g Ã are leaf nodes of binary tree that assigned to ID and ID Ã , respectively. Thus, security degradation is reduced to O(1) per transformation of a update key.
Compared to existing adaptive-ID secure scalable RIBE schemes, our RIBE scheme is more efficient in term of ciphertext size, public parameters size and decryption cost at price of a little looser security reduction. To the best of our knowledge, this is the first construction of scalable semantically secure RIBE scheme with constant size public system parameters. Table 1 shows a comparison between our RIBE scheme and existing RIBE schemes.
The rest of the paper is organized as follows. In Section 2, we introduce some preliminary works necessary for our constructions, such as bilinear group generator and complexity assumptions. In Section 3, we give formal syntax and security definitions of RIBE. In Section 4, we describe our RIBE construction. In Section 5, we prove our RIBE construction are IND-RID-CPA secure. Finally, we conclude the paper in Section 6.

Preliminaries
Bilinear group generator and complexity assumptions Definition 1. (Bilinear Group Generator) A bilinear group generator G is an algorithm that takes as input a security parameter k and outputs a bilinear group (n,G,G T ,ê e), where G and G T are cyclic groups of order n, andê e: G|G?G T is a bilinear map with the following properties: N Non-degeneracy: There is an element g[G such thatê e(g,g) has order n in G T . N Computability: There is an efficient algorithm to computê e e(g 1 ,g 2 ) for all g 1 ,g 2 [G.
Denote G(1 k )?(n~p,G,G T ,ê e) a prime order bilinear groups generator, where p is a prime. We call G(1 k )?(n~p 1 p 2 p 3 ,G,G T ,ê e) a composite order bilinear groups generator, where p 1 , p 2 and p 3 are distinct primes. The subgroups of order p 1 , p 2 and p 3 in G are denoted by G p1 , G p2 and G p3 , respectively. Note that when Definition 2. (Decision Bilinear Diffie-Hellman Assumption) Given a prime order bilinear group (p,G,G T ,ê e) generated by G(1 k ), we define the following two distributions: We say that the DBDH assumption holds in the prime order bilinear group (p,G,G T ,ê e) if no probabilistic polynomial time (PPT) algorithm has a non-negligible advantage in solving the DBDH problem in the prime order bilinear group (p,G,G T ,ê e). Assumption 1. (Subgroup decision problem for 3 primes) Given a composite order bilinear group generator G(1 k ), we define the following two distributions: We define the advantage of an algorithm A in breaking the subgroup decision assumption 1 to be: We note that L 1 can be written (uniquely) as the product of an element of G p1 and an element of G p2 . We refer to these elements as the ''G p1 part of L 1 '' and the ''G p2 part of L 1 '' respectively.
Definition 3. We say that G satisfies the subgroup decision Assumption 1 if Adv1 G,A (k) is a negligible function of k for any polynomial time algorithm A.
Assumption 2. (Subgroup decision problem for 3 primes) Given a composite order bilinear group generator G(1 k ), we define the following two distributions: We define the advantage of an algorithm A in breaking the subgroup decision assumption 2 to be: Definition 4. We say that G satisfies the subgroup decision Assumption 2 if Adv2 G,A (k) is a negligible function of k for any polynomial time algorithm A.

KUNode Algorithm
The KUNode algorithm was proposed by Boldyreva et al. [11] to achieve efficient revocation for IBE schemes. In the description hereafter, we employ similar notations as in [11]. Denote the root node of the tree T by root. If g is a leaf node, we denote the set of nodes on the path from g to root by Path(g). If g is a non-leaf node, we denote the left and right child of g by g L and g R , respectively.
At each time period, KUNode algorithm determines the smallest subset Y5T of nodes that contains an ancestor of all leaves corresponding to non-revoked users. This minimal set precisely contains nodes for which key updates have to be publicized in such a way that only non-revoked users will be able to generate the appropriate decryption key for the matching period. To identify the set Y, KUNode algorithm takes as input a binary tree T, revocation list RL and a period number T. If a user (assigned to g) is revoked on time T, then (g,T)[RL. KUNode algorithm first marks all ancestors of users that were revoked by time T as revoked nodes. Then, it inserts in Y the non-revoked children of revoked nodes. The description of KUNode(T,RL,T) is given in Table 2 Algorithm 2.
The example illustrated in Figure 1 can be used to help the reader understand the KUNode(T,RL,T) algorithm. Assume that a user associated with node x 9 is revoked, then X~Path(x 9 )~fx 9 ,x 4 ,x 1 , root~x 0 g and Y~fx 2 ,x 3 ,x 10 g. Intuitively, all users, except the user associated with noed x 9 , have a node x[Y that is contained in the set of nodes on the path from their assigned node to root, whereas Y\Path(x 9 )~6 0.
When a user joins the system, PKG assigns a leaf node g of a complete binary tree to the user, and issues a set of keys, wherein each key is associated with a node on Path(g). At time period T, PKG broadcasts key updates for a set KUNode(T,RL,T). Then, only non-revoked users have at least one key corresponding to a node in KUNode(T,RL,T) and are able to generate decryption keys on time T.

Dual System Encryption
Dual system encryption is a proof methodology first introduced by Waters [8], which opens up a new way to prove adaptive security under simple assumptions for IBE and related encryption systems.
In a dual system encryption system, both ciphertexts and private keys can take on one of two indistinguishable forms [9]. A private key or ciphertext is normal if they are generated from the system's key generation or encryption algorithm. Semi-functional ciphertexts and private keys are not used in the real system, they are only used in the security proof. A normal private key can decrypt normal or semi-functional ciphertexts, and a normal ciphertext can be decrypted by normal or semi-functional private keys. However, decryption will fail with high probability if one attempts to decrypt a semi-functional ciphertext with a semi-functional private key.
Unlike previous proof technique called partitioning strategy which partitions the identity space into two parts, dual system encryption defines a sequence of games and proves their indistinguishability with the real game. The first game is the real security game in which the challenge ciphertext and private keys are normal. In the next game, the ciphertext is switched from normal to semi-functional, while all the private keys are normal. For an adversary that makes q private key requests, games 1 through q follow. In game k, the first k private keys are semifunctional while the remaining private keys are normal. In game q, all the private keys and the challenge ciphertext given to the adversary are semi-functional. Hence none of the given private keys are useful for decrypting the challenge ciphertext. At this point, At this point proving security becomes relatively easy since the reduction algorithm does not need to present any normal private keys to the adversary and all semi-functional private keys are useless for decrypting a semi-functional ciphertext.

Syntax and Security Definitions of RIBE
In this section, we recall the syntax and security model of RIBE as defined in [13]. Unlike the syntax definition in [13], we define the decryption key generation algorithm as probabilistic rather than deterministic. A RIBE scheme can be defined by the following seven polynomial-time algorithms: Setup The stateful setup algorithm is run by the PKG, which takes a security parameter k and a maximal number of users N as input, it outputs the public parameter mpk, the master secret key msk, the initial revocation list RL~6 0, and a state ST. We assume that the message space M and the identity space I, the time space T, and the ciphertext space CT are contained in mpk.
Extract The stateful private key extract algorithm is run by the PKG, which takes mpk, msk, an identity ID[I, a state ST as input, it outputs a secret key sk ID associated with ID and an updated state ST.
KeyUpdate The key update generation algorithm is run by the PKG, which takes mpk, msk, the key update time T[T, the current revocation list RL, and ST as input, it outputs the key update ku T .
DKeyGen The probabilistic decryption key generation algorithm is run by a user, which takes mpk, sk ID , and ku T as input, it outputs a decryption key dk ID,T to be used during period T or a special symbol \ indicating that ID was revoked.
Encrypt The probabilistic encryption algorithm is run by a sender, which takes mpk, ID[I, T[T, and a message m[M as input, it outputs a ciphertext c.
Decrypt The deterministic decryption algorithm is run by the receiver, which takes mpk, dk ID,T , and c as input, it outputs m or \ if C is an invalid ciphertext.
Revoke The stateful revocation algorithm is run by the PKG, which takes an identity to be revoked ID[I, a revocation time Table 2. Algorithm 2: KUNode Algorithm KUNode(T,RL,T). T[T, the current revocation list RL, and a state ST as input, it outputs an updated RL by adding ID as a revoked user at time T.
We have a basic consistency requirement that for any (mpk, msk)/Setup (1 k ,N) Note that the security model captures realistic threats including decryption key exposure [13].
Definition 6. Let P be a RIBE scheme, we say that P is IND-RID-CPA secure if any PPT adversary A has negligible advantage in this following experiment: The adversary A's advantage is defined as follows.

Our Construction
In this section, we propose an efficient and provable secure RIBE scheme by exploiting Lewko and Waters IBE scheme [9] and KUNode algorithm.
Setup The PKG runs composite order bilinear group generator G(1 k )?(n~p 1 p 2 p 3 ,G,G T ,ê e), chooses g,u 1 ,u 2 ,h / $ G p1 and a / $ Z n . The PKG publishes the public system parameters as follows.
mpk~fn,g,u 1 ,h,u 2 ,ê e(g,g) a g: The master secret keys are a and a generator of G p3 . Extract The PKG chooses an unassigned leaf g from T at random, and stores ID in the node g. For each node h[Path(g), PKG performs as follows.
N Recall g h if it was defined. Otherwise, g h / $ G p1 and store (g h ,g g h~g a =g h ) in the node h.
N Choose r h / $ Z n and R 3 ,R' 3 ,R'' 3 / $ G p3 at random. Note that we can get a random elements of G p3 by taking a generator of G p3 and raising it to random exponents modulo n.
Encrypt A sender chooses a random integer t / $ Z n and outputs C 0~Mê e(g,g) at ,C 1~( u ID 1 u T 2 h) t ,C 2~g t : Decrypt The receiver parses C~(C 0 ,C 1 ,C 2 ) and dk ID,T~( D 1 ,D 2 ) and outputs C 0ê e(D 2 ,C 2 ) e e(D 1 ,C 1 ) Revoke Let g be the leaf node associated with ID. The PKG updates the revocation list by RL/RL|f(g,T)g and returns the updated revocation list.
The correctness of our RIBE construction can be verified as follow.ê e(D 2 ,C 2 ) e e(D 1 ,C 1 )~ê

Security Proofs
To prove the security of our RIBE scheme, we first define three additional structures: semi-functional ciphertexts, semi-functional private keys and semi-functional update keys. For the semifunctional type, we let g 2 denote a fixed generator of the subgroup G p2 .
N Semi-functional Ciphertext: A normal ciphertext C'~(C 0 ,C 1 ,C 2 ) is first generated by the encryption algorithm. It then chooses x,z c / $ Z n and sets: N The semi-functional ciphertext is C~(C 0 ,C 1 ,C 2 ).
N Semi-functional Private Key: A normal private key is generated by the private key generation algorithm for an identity ID. It then chooses c,z k ,z' k / $ Z n and sets: N The semi-functional private key is sk ID~f (K 1 ,K 2 , N Semi-functional Update Key: A normal update key is generated by the update key generation algorithm. It then chooses l,z u ,z' u / $ Z n and sets: N The semi-functional update key is ku T~f (U 1 ,U 2 , N The semi-functional decryption key is dk ID,T~( D 1 ,D 2 ).
Note that when a semi-functional decryption key is used to decrypt a semi-functional ciphertext, the decryption algorithm will compute the blinding factor multiplied by the additional term e e(g 2 ,g 2 ) xr(z d {zc) . If z d~zc , decryption will still work. In this case, the decryption key is nominally semi-functional. In our proof, normal decryption keys are generated by normal subkeys of private keys and normal subkeys of update keys, while semifunctional decryption keys are generated by semi-functional subkeys of private keys and normal subkeys of update key, or normal subkeys of private keys and semi-functional subkeys of update keys.
There are two types of adversaries in simulation. Type-I adversary issues private key queries on the challenge identity ID Ã , but the challenge identity should be revoked before the challenge time T Ã ; Type-II adversary will never issue private key queries on the challenge identity. Obviously, if a RIBE scheme is secure against Type-I adversary, it is definitely secure against Type-II adversary. For this reason, we only consider Type-I adversary in the following security proofs.
Denote by q sk and q ku the number of private key queries for non-challenge identities and update key queries for non-challenge time issued by an adversary, respectively. Denote by ' the maximum node number a private key involves, and those nodes are not on the path from the root node to the challenge node g Ã .
We give our proof as a sequence of games, which are defined in the order as follows.
N Game A : The actual RIBE security game, where all private keys, update keys, decryption keys and the challenge ciphertext are normal.
N Game R : The restricted game, is the actual security game except that adversary can not issue private key queries for ID~ID Ã mod p 2 and update key queries for T~T Ã mod p 2 . Note that adversary can issue private key queries for ID~ID Ã mod n, but ID Ã should be revoked before T Ã : N Game ku k : The restricted security game where the challenge ciphertext, all ' subkeys of all private keys, and subkeys ku T,h of the first k update key ku T are semi-functional, while the rest subkeys of q sk private key and the rest subkeys of q sk update keys are normal. Here h[Path(g Ã ). It is obvious that Game sk q sk ,'~G ame ku 0 .
N Game F : The final game, is the same as security game Game ku q ku except that the challenge ciphertext is a semi-functional encryption of a random message.
Next, we prove the indistinguishability of those games by following lemmas. Lemma 1. Suppose there exists an algorithm A such that Adv Game A A {Adv GameR A~E , then we can build an algorithm B with advantage E 2 in breaking Assumption 2. Proof. Given g,X 1 X 2 ,X 3 ,Y 2 Y 3 , algorithm B can simulate Game A with A. Assume that A produces identities ID and ID Ã such that ID=ID Ã mod n and p 2 divides ID{ID Ã with probability E (If A fails to do this, B simply guesses at random). B uses these identities to produce a nontrivial factor of n by computing a~gcd(ID{ID Ã ,n). Set b~n a , and consider the following three cases: N Case 1 one of a,b is p 1 , and the other is p 2 p 3 N Case 2 one of a,b is p 2 , and the other is p 1 p 3 N Case 3 one of a,b is p 3 , and the other is p 1 p 2 B can determine if Case 1 has occurred by testing if either of (Y 2 Y 3 ) a or (Y 2 Y 3 ) b is the identity element. If this happens, we will suppose that a~p 1 and b~p 2 p 3 without loss of generality. B can then learn whether T has a G p2 component or not by testing if e e(T a ,X 1 X 2 ) is the identity element. If it is not, then T has a G p2 component.
B can determine if Case 2 has occurred by testing if either of (X 1 X 2 ) a or (X 1 X 2 ) b is the identity element. Assuming that B has already ruled out Case 1 and neither of them is the identity element, then Case 2 has occurred. B can learn which of a,b is equal to p 1 p 3 by testing which of g a ,g b is the identity. Without loss of generality, we assume that a~p 2 and b~p 1 p 3 . Then, B can learn whether T has a G p2 component or not by testing if T b is the identity element. If it is not, then T has a G p2 component.
B can determine that Case 3 has occurred when the tests for both Cases 1 and Case 2 fail. It can learn which of a,b is equal to p 3 by testing which of X a 3 ,X b 3 is the identity. Without loss of generality, we assume that a~p 3 . B can learn whether T has a G p2 component or not by testing whetherê e(T a ,Y 2 Y 3 ) is the identity. If it is not, then G p2 has a G p2 component.
This completes the proof. % Lemma 2. Suppose there exists an algorithm A such that

Adv GameR
A {Adv Game sk 0,0 A~E , then we can build an algorithm B with advantage E in breaking Assumption 1.
Proof. B first receives g,X 3 ,L, then simulates Game R or Game 0 with A. B chooses a,a 1 ,b,a 2 / $ Z n , sets public parameters as g~g, u 1~g a1 , u 2~g a2 , h~g b , and sends the public parameters to A.
N When B is asked to provide a update key with time period T.
For each node h[KUNode(T,RL,T), B performs the following steps.
-Retrieveg g h (Note thatg g h is always pre-defined in the Extract algorithm).
-Return ku T~f (U 1 ,U 2 ,U 3 )g h[KUNode(T,RL,T) . N When B is asked for a private key with identity ID. For each node h[Path(g) where g is the leaf node assigned to ID, B performs the following steps.
-Recall g h if it was defined. Otherwise, g h / $ G p1 (We can do this by by taking the generator of G p1 , g, and raising it to random exponents modulo n) and store (g h ,g g h~g a =g h ) in the node h.
-Return sk ID~f (K 1 ,K 2 ,K 3 )g h[Path(g) . N When B is asked for a decryption key with identity ID and time period T, then B successively runs the Extract algorithm, KeyUpdate algorithm and DKeyGen algorithm.
A sends B two message, M 0 and M 1 , and a challenge identity, ID Ã , challenge time period, T Ã . B chooses b[f0,1g randomly. The ciphertext is formed as follows.
C 0~Mbê e(L,g) a , C 1~L zc , C 2~L : This implicitly sets g s equal to the G p1 part of L: If L[G p1p2 , then this is a semi-functional ciphertext with z c~a1 ID Ã za 2 T Ã zb: We note that the value of z c modulo p 2 is not correlated with the values of a and b modulo p 1 , so z c is properly distributed. If L[G p1 , this is a normal ciphertext. Hence, simulator B can use the output of A to distinguish between these possibilities for L.
This completes the proof. Proof. B first receives g,X 1 X 2 ,X 3 ,Y 2 Y 3 ,L, and picks a,a 1 ,b,a 2 / $ Z n , then B sets the public parameters as g~g, u 1~g a1 , h~g b , u 2~g a2 ,ê e(g,g) a and sends the public parameters to A. N When A issues the i-th private key query for all subkeys corresponding to the challenge identity, or subkeys that associated with nodes are not on the path from the node associated with challenge identity to the root node, B generates normal private keys by calling the normal private key generation algorithm. Otherwise, B generate the j-th subkey, associated with those ' subkeys, of the i-th private key as follows.
1. For ivk _ (i~k^jƒk') and h[Path(g) -Recall g h if it was defined. Otherwise, g h / $ G p1 and store (g h ,g g h~g a =g h ) in the node h. ).

For i~k^j~k' and h[Path(g),
-Recall g h if it was defined. Otherwise, g h / $ G p1 and store (g h ,g g h~g a =g h ) in the node h.
3. For iwk _ (i~k^jwk'), B generates normal private keys by calling the normal private key generation algorithm.
N When A issues a update key query with time period T, then B generates normal update keys by calling the normal update key generation algorithm.
N When A issues a a decryption key query with identity ID and time period T, then B successively runs the Extract algorithm, KeyUpdate algorithm, and DKeyGen algorithm.
At some point A sends two messages, M 0 and M 1 , a challenge identity ID Ã , and a challenge time period T Ã to B. B sets b[f0,1g randomly. The challenge ciphertext is formed as follows.
C 0~Mbê e(X 1 X 2 ,g) a , C 1~( X 1 X 2 ) zc ,C 2~X1 X 2 : We note that this sets g s~X 1 and z c~a1 ID Ã za 2 T Ã zb. Since f (ID,T)~a 1 IDza 2 Tzb is a pairwise independent function modulo p 2 , as long as ID=ID Ã mod p 2 and T=T Ã mod p 2 , z k and z c will seem randomly distributed to A.
If L[G p1p3 , then B has properly simulated Game sk k,k'{1 . If L[G, then B has properly simulated Game sk k,k' . Hence, B can use the output of A to distinguish between these possibilities for L.
This completes the proof. Proof. This proof is analogous to the proof of lemma 3. % Proof. B first receives g,X 1 X 2 ,X 3 ,Y 2 Y 3 ,L, and picks a,a 1 ,b,a 2 / $ Z n , then B sets the public parameters as g~g, u 1~g a1 , h~g b , u 2~g a2 ,ê e(g,g) a and sends the public parameters to A.
N When A issues private key query for the challenge identity or subkeys that associated with nodes are not on the path from the node associated with challenge identity to the root node, B generates normal private keys by calling the normal private key generation algorithm. Otherwise, for each node h[Path(g), B performs as follows.
-Recall g h if it was defined. Otherwise, g h / $ G p1 and store (g h ,g g h~g a =g h ) in the node h.
-Return sk ID~f (K 1 ,K 2 ,K 3 )g h[Path(g) . N When A issues the update key query for the challenge time period, B generates normal update keys by calling the normal update key generation algorithm. Otherwise, B performs as follows.
2. For i~k. When h[KUNode(T,RL,T)^h = [Path(g Ã ), B generates normal update keys by calling the normal update key generation algorithm. When h[Path(g Ã ), B performs as follows.