Unbounded and revocable hierarchical identity-based encryption with adaptive security, decryption key exposure resistant, and short public parameters

Revocation functionality and hierarchy key delegation are two necessary and crucial requirements to identity-based cryptosystems. Revocable hierarchical identity-based encryption (RHIBE) has attracted a lot of attention in recent years, many RHIBE schemes have been proposed but shown to be either insecure or bounded where they have to fix the maximum hierarchical depth of RHIBE at setup. In this paper, we propose a new unbounded RHIBE scheme with decryption key exposure resilience and with short public system parameters, and prove our RHIBE scheme to be adaptively secure. Our system model is scalable inherently to accommodate more levels of user adaptively with no adding workload or restarting the system. By carefully designing the hybrid games, we overcome the subtle obstacle in applying the dual system encryption methodology for the unbounded and revocable HIBE. To the best of our knowledge, this is the first construction of adaptively secure unbounded RHIBE scheme.


Introduction
Revocation functionality is indispensable to (H)IBE since there are threats of leaking a secret key by hacking or legal situation of expiration of contract for using system. In those seminal works [1] [2], it has also been pointed out that providing an efficient key hierarchy delegation mechanism for IBE is essential. To satisfing both hierarchical key delegation and user revocation, revocable hierarchical identity-based encryption (RHIBE) has been paid attention. Unfortunately most of existing RHIBEs proposed [1] [3] [4] [5] [6] [7] are either insecure or bounded where they have to fix the maximum hierarchical depth of RHIBE at setup. Bounded (R)HIBE schemes restrict the maximum hierarchy of (R)HIBE, i.e., they need to declare the max level in the public parameters at setup phase. It is highly impossible to set the maximum hierarchy properly in practice: too small to accommodate enough users or too large that wastes identity space needlessly and increase keys computation unnecessarily. PLOS  In contrast, the unbounded RHIBE is more scalable to achieve efficient and dynamic user management. Ryu proposed an unbounded RHIBE scheme [7] inspired by an universe KP-ABE [8]. But it only achieves selective-ID security. In selective-ID security notion, the reduction algorithm requires the challenge identity before the setup phase in the proof [1,3]. That means the adversary holds no information before giving the challenge ID, but the simulator can exploit the challenge information submitted by the adversary to construct the trick public parameters and other keys in games. That is a weaker security notion.
Adaptive-ID security represents full security notion that an adversary gives the challenge identify when he has learnt the public information. Lee [5] considered the adaptively secure RHIBE but his scheme don't support the property of unbounded hierarchical key delegation. Xing [9] claimed to achive the first adaptively secure and unbounded RHIBE, but its security proof that uses the dual system encryption technique has some flaws. Therefore, the construction of an adaptively secure unbounded RHIBE scheme is still an unsolved open problem.

Our techniques
The dual system encryption framework [10] is usually for proving the adaptive security of HIBEs in composite-order bilinear groups. To achieve the adaptive security in the framework, the notion of semi-functionality is introduced [10] [11] and the proof strategy is that a normal challenge ciphertext is changed to be semi-functional, and then each normal private key is changed to be semi-functional one by one through hybrid games.
There is a paradox that need to be overcome. Since a normal ciphertext can be decrypted by a semi-functional private key but a semi-functional ciphertext cannot be decrypted by a semi-functional private key, a simulator can check whether a private key is normal or semifunctional by decrypting a semi-functional ciphertext(note that a simulator can generate a ciphertext and a private key for any identity). To overcome the obstacle, the nominally semifunctional type of private keys is introduced: the challenge semi-functional private key is constructed as a nominally semi-functional private key so that the semi-functional ciphertext of the same identity the simulator generates always can be decrypted by it. In addition, a detailed information theoretic argument should be given to argue that a nominally semi-functional key is indistinguishable from a semi-functional key. Although the dual system encryption is maturing to exploit in normal HIBEs to achieve the adaptive security, it is more complex when dealing with revocable HIBE schemes. In HIBE, the essential restriction for the information theoretic argument is that an adversary cannot query a private key for ID that is a prefix of the challenge identity ID Ã . However, the restriction do not exist in RHIBEs. The private key of any prefix of ID Ã and the update key for the challenge time T Ã are both allowed to query for the adversary in RHIBEs. Recall that the simulator of an HIBE scheme can change the normal-private key to a semi-functional private key by using a nominally semi-functional key and the constraint ID = 2 Prefix(ID Ã ) of the security model. The nominally semi-functional key is indistinguishable from a semi-functional key by an information theoretic argument using the constraint ID = 2 Prefix(ID Ã ). However, in the case of (U-)RHIBE, a simple method cannot change the normal-private key to the semi-functional private key since the adversary can query and achieve the private key for any ID 2 Prefix(ID Ã ).
Moreover, an unbounded RHIBE scheme has so low entropy context that it is hard to execute an information-theoretic argument, which is different with those bounded RHIBE schemes. So the dual system encryption method in Lee-RHIBE [5] does not work. Although Lewko and Waters [12] has proposed a nested dual system encryption approach to allow a sufficient information-theoretic argument in a very localized context for unbounded HIBEs, the trival applying to a revocable extention scheme is inappropriate to hold the paradox information theoretic argument. Unfortunately Xing and Wang [9] have neglected this important change, so that the proof of their unbounded RHIBE scheme is non-rigorous with flaws. Obviously the attacker can distinguish between the oracles they design for the game hoppings in [9], which is not as they claimed in Lemma 4. To circumvent the subtle obstacle and apply the dual system encryption methodology for our adaptively secure unbounded RHIBE with decryption key exposure resistance, our strategy is threehold: (1) We use a modular design strategy like [13] and construct the private keys and update keys from smaller component keys. A private key consists of many HIBE private keys that are related to a path in a binary tree and an update key also consists of many IBE private keys that are related to a cover set in a binary tree. The HIBE and IBE private keys can be grouped together if they are related to the same node in a binary tree. So we change to deal with the transformation of component HIBE and IBE keys in the hybrid games instead of directly with the private keys and update keys of RHIBE which cannot be simply changed from normal keys to semi-functional keys.
(2) We design a nested dual system encryption for revocable and hierarchical IBE schemes with the concept of ephemeral semi-functionality for secret keys, update keys, decryption keys and ciphertexts. To demonstrate a hybrid process of games to chellenge keys and ciphertexts, we define several oracles to simulate the different forms of the component HIBE and IBE keys which construct the semi-functional or ephemeral semi-functional secret keys, update keys and decryption keys.
(3) For showing an information theoretic argument under RHIBE model successfully, we firstly classify the behavior of an adversary as two types under the restriction of the RHIBE security model. The Type-1 adversary is restricted to queries on the secret keys of any hierarchical identity satistying IDj k = 2 PrefixðID Ã l Þ, so we carefully re-design a sequence of hybrid games to show several times of information theoretic arguments successfully for the secret keys and avoid a potential paradox for the update keys. The Type-2 adversary is restricted to queries on the update keys on the time T = 2 T Ã , so we carefully re-design the other sequence of hybrid games to show several times of information theoretic argument successfully for the update keys and avoid a potential paradox for the secret keys.

Our result
We propose the first adaptively secure unbounded RHIBE in composite-order bilinear groups under simple static assumptions. It removes the limitation of the maximum hierarchical depth in the encryption system and accommodate more levels of user adaptively without adding workload or restarting the system. Our RHIBE scheme also supports decryption key exposure resistance by the key-randomization method which meets the strong security notion for R(H) IBE [14].
Compared to existing RHIBE schemes, it is the first RHIBE to achieve simultaneously adaptive-ID security, decryption key exposure resistance and unbounded key delegation, as shown in Table 1. In Table 2, we discuss the comparison about the efficiency of key space and decryption computation, noted that l is the maximum level of the hierarchy, h is the level of a user in the hierarchy, N is the number of maximum users in each level, r is the number of revoked users, t e is the cost for performing a bilinear pairing, |G| and |G T | are the sizes of one element in G and G T respectively. Our RHIBE scheme has the short and constant public parameter which is independent with the maximum level of the system hierarchy. Moreover, our RHIBE reduces the size of the update key from O(hrlog(N/r))to O(h + rlog(N/r)).

Related works
Efficient user revocation in RHIBE. An efficient tree-based key updating technique called the complete subtree (CS) method is a specific instance of the subset cover framework of Naor et al. [15]. In the scalable RIBEs using the CS method [16] [17] [14] [18] [19], every user holds a secret key composed of logN subkeys, where N is the number of all users, and only one subkey of a non-revoked user can be used to generate a decryption key. If we directly extend this mechanism to RHIBE scheme, the second-level user need to prepare (logN) 2 subkeys since for every subkey of his parent he needs to generate logN subkeys respectively, which results to (logN) l subkeys for an l-level user. Tsai et al. simply set the update key as another secret key in their RHIBE scheme [4]. Their construction is just as a trivial combination of two concurrent HIBE system, one for the derivation of secret keys and another for update keys. Lack of any efficient method of update and revocation, the size of the update key depends on the size of users linearly instead of logarithmically. Moreover, his approach require a new key center for update keys (called delegated revocation authority, DRA). That double deployment of key centers increases the system cost. Seo and Emura proposed a revocable HIBE scheme [1] with (l 2 logN)-size secret keys for a user, where l is the maximum hierarchical level. This history preserving update method leads to a lengthy history information in an update key and requires the recursive definition of secret keys and update keys. Afterward Seo proposed a RHIBE with (l Á logN)-size secret keys for a user by a history-free update method. Recently, Lee and Park [13] proposed a new RHIBE scheme with shorter private keys and update keys by combining a new HIBE scheme that has short intermediate private keys and the CS scheme in a modular way, where the size of the secret key is (logN) and the size of the update key is (l + rlog(N/r)). Another revocation method called the subset difference (SD) method [20] was utilized to

Definition 2
We define an experiment under the adaptive-ID security against chosen plaintext attacks model in [5], as named "IND-RID-CPA" security.
A is allowed to issue the above oracles with the following restrictions: 1. Revoke Q (Á, Á) can be queried on time T if KeyUp Q (Á) was queried on T.
2. DKGen Q (Á, Á) cannot be queried on time T before KeyUp Q (Á) was queried on T.
3. If A requested a private key query for ID Ã k that is a prefix of ID Ã l where k l, then the identity ID Ã k or one of its ancestors should be revoked at some time T where T T Ã . 4. A cannot request a decryption key query for the challenge identity ID Ã | l or its ancestors on the challenge time T Ã .

5.
A cannot request a revocation query for ID| k on time T if he already requested an update key query for ID| k in time T.

6.
A must query to KeyUp(Á, Á) and Revoke(Á, Á) for same identity in increasing order of time.
The advantage of A is defined as Adv RHIBE A ðlÞ ¼ jPrðb ¼ b 0 Þ À 0:5j. We say that RHIBE is IND-RID-CPA secure if for all PPT adversary A, his advantage Adv RHIBE A ðlÞ is negligible in the security parameter λ.

Complexity assumptions
We generate ðn; G; G T ; eÞ G where G and G T be cyclic groups with order N and p = p 1 p 2 p 3 , p 1 , p 2 , p 3 are distinct prime numbers, e: G×G! G T is an efficient, nondegenerate bilinear map. We denote the subgroup of G with order p i as G p i . We define a function Adv G;A ðlÞ ¼ jPr½AðD; T 1 Þ À Pr½AðD; T 2 Þj for any PPT algorithm A and parameters D, T 1 , T 2 .
is a negligible function of λ for any PPT algorithm is A. 3 , a; s R Z n , T 1 be e(g, g) αs , T 2 R G T , D = ðG; g; g 2 ; g 3 ; g a X 2 ; g s Y 2 Þ, we say that G satisfies Assumption 2 if Adv G;A ðlÞ is a negligible function of λ for any PPT algorithm is A.
is a negligible function of λ for any PPT algorithm is A.
is a negligible function of λ for any PPT algorithm is A.

Design of U-RHIBE system
We firstly describe the key encapsulation mechanism (KEM) version of the unbounded HIBE scheme [12] and its 1-level (H)IBE scheme that are used as the building blocks of our RHIBE schemes. Let GS ¼ ððN ¼ p 1 p 2 p 3 ; G; G T ; eÞ; g; g 2 ; g 3 Þ GðlÞ be the bilinear group, where λ is a security parameter and g 2 denotes a generator of G p 2 , g 3 denotes a generator of G p 3 and g be a generator of G p 1 .

HIBE scheme
We define a key-group function κ(I, y, r) as the group elements kðI; y; rÞ ¼ ðw y ; g y ; g r ; ðu I hÞ r v y Þ and an expression g λ κ(I, y, r) as g l kðI; y; rÞ ¼ ðg l w y ; g y ; g r ; ðu I hÞ r v y Þ

HIBE.Setup(GS):
It selects u; h; w; v R G p 1 and a R Z p . It outputs a master key MK = α and public parameters PP = ((p, G, G T , e), g, u, h, w, v, O = e(g, g) α ).
HIBE.Encaps(ID| l , s, PP): Let ID| l = (I 1 , . . ., I l ) 2 I l . It chooses t 1 ; Á Á Á ; t k R Z p and outputs a ciphertext CT IDj l ¼ ðg s ; fw s v t i ; ðu I i hÞ t i ; g t i g Additionally, we introduce two algorithms for our modular RHIBE construction, the Chan-geKey algorithm and the MergeKey algorithm, which are defined similarly with the algorithms in [5].

IBE scheme
A trivial extension to RHIBE from the HIBE in [12] constructs the decryption key of (T, ID| k ) It remains some problem in the proof of RHIBE model, where the information theoretic argument is not easy to show as of the model of HIBE. So we modify the construction by defining a new update-keygroup function as and D 0 = g l 0 k T ðT; y 0 ; r 0 Þ, which is constructed from the component IBE secret key.
IBE.GenKey(T, MK, PP): This algorithm takes as input a time T and the master key MK, and the public parameters PP. It chooses r; y R Z p and outputs a IBE secret key SK T = g α κ T (T, y, r).
The contruction of IBE.ChangeKey and IBE.MergeKey is similar with HIBE.ChangeKey and HIBE.MergeKey and we omit them here.

The CS method
We exploit the complete subtree (CS) method to construct our RHIBE scheme. We follow the definition of the CS scheme in the work of Lee and Park [22]. CS.Setup(N max ): Let N max = 2 n . It first sets a full binary tree BT of depth n. Each user is assigned to a different leaf node in BT . The collection S is defined as {S i } where S i is the set of all leaves in a subtree T i with a subroot v i 2 BT . It outputs the full binary tree BT .
CS.AssignðBT ; IDÞ: Let v ID be a leaf node of BT that is assigned to the user ID. Let (v k 0 , v k 1 , Á Á Á, v k n ) be the path from the root node v k 0 = v 0 to the leaf node v k n = v ID . For all j 2 {k 0 , Á Á Á, k n }, it adds S j into PV ID . It outputs the private set PV ID = {S j }.

CS.CoverðBT
; RÞ: It first computes the Steiner tree ST(R). Let T k 1 ; Á Á Á ; T k m be all the subtrees of BT that hang off ST(R), that is all subtrees whose roots v k 1 , Á Á Á, v k m are not in ST(R) but adjacent to nodes of outdegree 1 in ST(R). For all i 2 {k 1 , Á Á Á, k m }, it adds S i into CV R . It outputs a covering set CV R = {S i }.
CS.Match(CV R , PV ID ): It finds a subset S k with S k 2 CV R and S k 2 PV ID . If there is such a subset, it outputs S k . Otherwise, it outputs ?.

Construction
RHIBE.Setup(1 λ , N max ): The Setup algorithm takes a security parameter λ and a maximum number of users for each level N max as input. It firstly runs G to obtains two groups G, G T of order p = p 1 p 2 p 3 , where p 1 , p 2 , p 3 are distinct primes, and a bilinear map e: G×G!G T . It sets GS = ((N, G, G T , e), g, g 2 , g 3 ) where g, g 2 and g 3 denote the generators of G p 1 , G p 2 , and G p 3 , where β ID k−1 is a false master key and z ID k−1 is a PRF key.
2. It first assigns ID| k to a random leaf node v 2 BT ID| k−1 and obtains a node set Path(ID| k )

For each
This algorithm takes as input a ciphertext CT ID| l ,T = (CH IBE,T , CH HIBE,ID| l , C), a decryption key

Correctness
If a user is not revoked at time T, the RHIBE.DeriveKey algorithm correctly derive his decryption key DK ID| k ,T as The RHIBE.Decrypt algorithm takes CT ID| l ,T as input, where and computes B = C/M as

Security analysis
We use the dual system encryption proof techinique to prove the adaptive security of our U-RHIBE. We adopt the concept of ephemeral semi-functionality [12] and design a new nested dual system encryption for unbounded RHIBEs. As an intermediary transforming stage between the normal and semi-functional distributions, the ephemeral semi-functionality helps us to overcome the challenge presented by low entropy in the public parameters.

Theorem 1 Our unbounded RHIBE scheme is IND-RID-CPA secure if Assumption 1-4 hold.
Proof We firstly define the semi-functional type and the ephemeral semi-functional types of keys and ciphertexts in Sec.4.1 which represent the types of keys and ciphertexts answered to the queries in the challenge game. Secondly we conduct the security proof by the indistinguishabilities of a sequence of hybrid games that we define in Sec.4.2.
We define the semi-functional ciphertext and five types of ephemeral semi-functional ciphertexts of a normal ciphertext CT ID| l ,T by changing the C 0 element into G p 1 p2 and the l + 1 numbers of the ciphertext-element-groups ( As we mentioned before, our normal secret key and update key cannot be simply changed to semi-functional keys as same as in [11] one by one owing to the inefficiency of the information theoretic argument in our scheme. And we divide secret keys and update keys into samll component keys which are group together if they are related to the same node in a binary tree.
We only change the last element-group of our normal secret key for constructing the semifunctional secret key and the ephemeral semi-functional secret key like in [11]. We define one type of semi-functional secret key and five types of ephemeral semi-functional secret key. The defination of ephemeral semi-functional secret key called ESF-1-SK, ESF-2-SK, ESF-3-SK, ESF-4-SK and ESF-5-SK are in Appendix.A. In the defination of the semi-functional secret key, we add G p 2 p3 term on the first 2 elements and the last element of the last element-group.

RHIBE.SKeySF
Þ to the node θ 2 Path(ID j ) in the BT ID| j−1 as follows: It chooses random exponents y 0 , r 2 Z p and choose σ 1 , ψ 1 2 Z p , then it constructs κ sf (I j , y 0 , r) for the last element-group as And the contruction of the other element-groups follows the construction of SK HIBE,S θ in RHIBE.GenKey.
We define one type of semi-functional update key and five types of ephemeral semi-functional update key. The defination of ephemeral semi-functional update key called ESF-1-UK, ESF-2-UK, ESF-3-UK, ESF-4-UK and ESF-5-UK are in Appendix.A. The constructions from the normal component update key to the (ephemeral) semi-functional component update keys are similar to that of secret keys, expect that we change the first element group of normal component update key to different types. i¼0 Þ to the node θ 2 KUNode as follows: It chooses random exponents y 0 , r 2 Z p and choose σ 2 , ψ 2 2 Z p , then it constructs k sf T ðT; y 0 ; rÞ of the first element-group (U 0,0 , U 0,1 , U 0,2 , U 0,3 ) as

RHIBE.UpdateKeySF ðT; ST
And the contruction of the other element-groups follows the construction of RSK HIBE and SK IBE,S θ in RHIBE.UpdateKey. Then we re-randomize it by running RHIBE.RandDK and output it.

Sequence of games
We define a squence of games to verify the advantage in distinguishing G Real and G Final is negligible. In Table 3, we give the types of key in the queries and the challenge cipertext in every game, and the decryption situation according to the types of keys and ciphertexts. G Real : It is the original game in which all seceret keys, update keys, decryption keys and ciphertexts are normal. G C : The challenge ciphertext is changed to be semi-functional and all other keys are still normal. G C 0 : This game is exactly like Game C , except for a added restriction about the challenge key identity vector. We explain the restriction in Sec.4.6.
G E−S : The secret keys are changed to ESF-2. The update keys and decryption keys are still normal. The challenge ciphertext is semi-functional. This game is used in the proof of the security against Type-1 adversary.
G E−U : The update keys are changed to ESF-2. The secret keys and decryption keys are still normal. The challenge ciphertext is semi-functional. This game is used in the proof of the security against Type-2 adversary. G E−S 0 : This game is almost as same as G E−S except the challenge ciphertext is chaged to ESF-1. This game is used in the proof of the security against Type-1 adversary. G E−U 0 : This game is almost as same as G E−U where the update keys are ESF-2, the secret keys and decryption keys are normal, except the challenge ciphertext is chaged to ESF-1. This game is used in the proof of the security against Type-2 adversary.
G ESF 0 : The update keys and secret keys are all changed to ESF-2. The challenge ciphertext is changed to ESF-1. The decryption keys are still normal. G SF 0 0 : All secret keys, update keys, and challenge ciphertext are changed to semi-functional. The decryption keys are still normal. G SF 0 : The challenge ciphertext is changed to semi-functional. The decryption keys are changed to be semi-functional. That is, all secret keys, update keys, decryption keys, and challenge ciphertext are now semi-functional. This game is exactly like G SF , except for a added restriction about the challenge key identity vector. We explain the restriction in Sec.4.6.
G SF : The challenge ciphertext and all keys are semi-functional. G Final : The session key is changed to be random and so the adversary has no advantage to distinguish the challenge massage.
Let Adv RHIBE A be the advantage of A in the real game. From the all the lemmas in this section, we obtain the following equation

Definition of oracles
We introduce seven oracles which answer queries from the challenger B by sampling various distributions of group elements from a composite order bilinear group. The outputs of Oracle O i will allow a simulator to produce different type of secret keys, update keys and decryption keys, different type of ciphertext and challenge keys for one corresponding game demonstrated in Table 3. All oracles are defined with respect to a bilinear group G of order p = p 1 p 2 p 3 and initially choose random elements g, u, v, w, u 0 , v 0 , w 0 2 G p 1 , g 2 2 G p 2 , g 3 2 G p 3 as well as random exponents ψ 1 , ψ 2 , σ 1 , σ 2 , a 0 , b 0 , s, δ 1 , δ 2 , γ 2 Z n . They provide the attacker with a description of the group G, as well as the group elements g; u; v; w; g s g g 2 ; w y ðg 2 g 3 Þ yc 1 ; g y ðg 2 g 3 Þ y ; v y ðg 2 g 3 Þ ys 1 ; Every oracle is allowed to simulate the semi-functional ciphertexts, normal and semi-functional (H)IBE private keys according to the provided group elements in Eq 2. We define the oracles from O 0 to O 4 in which the simulators will be allowed to produce a normal challenge decryption key. The outputs of Oracle O 0 will allow a simulator to produce a semi-functional challenge ciphertext, a normal challenge (H)IBE private key. The outputs of Oracle O 1 will allow a simulator to produce a semi-functional challenge ciphertext, a type-2 ephemeral semifunctional (ESF-2) challenge HIBE private key and a normal challenge IBE private key. The outputs of Oracle O 1 + will allow a simulator to produce a semi-functional challenge ciphertext, an type-2 ephemeral semi-functional (ESF-2) challenge IBE private key an normal challenge HIBE private key. The outputs of Oracle O 3 will allow a simulator to produce a type-1 ephemeral semi-functional(ESF-1) ciphertext, and a type-2 ephemeral semi-functional(ESF-2) challenge (H)IBE private key. Finally, the outputs of Oracle O 4 will allow a simulator to produce a semi-functional challenge ciphertext, and a semi-functional challenge (H)IBE private key.
We define the oracles from O 5 to O 7 in which the simulators will be allowed to produce a semi-functional challenge (H)IBE key. The outputs of Oracle O 5 will allow a simulator to produce a semi-functional ciphertext, and an ephemeral semi-functional challenge decryption key. The outputs of Oracle O 6 will allow a simulator to produce an type-1 ephemeral semifunctional(ESF-1) ciphertext, and a type-2 ephemeral semi-functional(ESF-2) challenge decryption key. Finally, the outputs of Oracle O 7 will allow a simulator to produce a semi-functional ciphertext, and a semi-functional challenge decryption key.
Oracle O 0 The first oracle, which we will denote by O 0 , responds to queries as follows. Upon receiving a challenge HIBE-key-type query for I 2 Z n , it chooses r, y 0 2 Z n randomly and returns the group elements to the attacker. Upon receiving a challenge IBE-key-type query for T 2 Z n , it chooses r 0 , y 00 2 Z n randomly and returns the group elements ðw y 00 0 ; g y 00 ; v y 00 to the attacker. Upon receiving a challenge decryption-key-type query for I 2 Z n and T 2 Z n , it chooses r, y 0 , r 0 , y 00 2 Z n randomly and returns the group elements ðw y 0 ; g y 0 ; v y 0 ðu I hÞ r ; g r ; w y 00 0 ; g y 00 ; v y 00 to the attacker. Upon receiving a ciphertext-type query for I Ã 2 Z n , it chooses t 2 Z n randomly and returns the group elements to the attacker. Upon receiving a ciphertext-type query for T Ã 2 Z n , it chooses t 0 2 Z n randomly and returns the group elements to the attacker.
Oracle O 1 The next oracle, which we will denote by O 1 , responds to queries as follows. Upon receiving a challenge HIBE-key-type query for I 2 Z n , it chooses r 00 , y 000 2 Z n randomly, and also chooses X 2 , Y 2 2 G p 2 , X 3 , Y 3 2 G p 3 randomly. It returns the group elements ðw y 000 ; g y 000 ; v y 000 ðu I hÞ r 00 to the attacker. It responds to a ciphertext-type query, a challenge IBE-key-type query and a challenge decryption-key-type query in the same way as O 0 .
Oracle O 1 + The oracle O 1 + responds to queries as follows. Upon receiving a challenge IBEkey-type query for T 2 Z n , it chooses r 00 , y 000 2 Z n randomly, and also chooses X 2 , Y 2 2 G p 2 , X 3 , Y 3 2 G p 3 randomly. It returns the group elements ðw y 000 0 ; g y 000 ; v y 000 to the attacker. It responds to a ciphertext-type query, a challenge HIBE-key-type query and a challenge decryption-key-type query in the same way as O 0 .
Oracle O 2 The next oracle, which we will denote by O 2 , responds to queries as follows. Upon receiving a challenge HIBE-key-type query and a challenge IBE-key-type query, it responds in the same way as O 1 . Upon receiving a ciphertext-type query for I Ã 2 Z n , it chooses t 2 Z n randomly and returns the group elements to the attacker. Upon receiving a ciphertext-type query for T Ã 2 Z n , it chooses t 0 2 Z n randomly and returns the group elements to the attacker. It responds to a challenge decryption-key-type query in the same way as O 0 .
Oracle O 2 + The next oracle, which we will denote by O 2 +, responds to queries as follows. Upon receiving a challenge HIBE-key-type query and a challenge IBE-key-type query, it responds in the same way as O 1 +. Upon receiving a ciphertext-type query for I Ã 2 Z n , it chooses t 2 Z n randomly and returns the group elements to the attacker. Upon receiving a ciphertext-type query for T Ã 2 Z n , it chooses t 0 2 Z n randomly and returns the group elements to the attacker. It responds to a challenge decryption-key-type query in the same way as O 0 .
Oracle O 3 The next oracle, which we will denote by O 3 , responds to queries as follows. Upon receiving a challenge HIBE-key-type query and a ciphertext-type query, it responds in the same way as O 2 . Upon receiving a challenge IBE-key-type query for I 2 Z n , it chooses r 00 , y 000 2 Z n randomly, and also chooses X 2 , Y 2 2 G p 2 , X 3 , Y 3 2 G p 3 randomly. It returns the group elements ðw y 000 0 ; g y 000 ; v y 000 to the attacker. It responds to a challenge decryption-key-type query in the same way as O 0 .
Oracle O 4 The next oracle, which we will denote by O 4 , responds to ciphertext-type queries in the same way as O 0 , and responds to a challenge HIBE-key-type query for I 2 Z n , by choosing r, y 0 2 Z n randomly and returns the group elements to the attacker. Upon receiving a challenge IBE-key-type query for T 2 Z n , it chooses r 0 , y 00 2 Z n randomly and returns the group elements ðw y 00 0 ðg 2 g 3 Þ y 00 c 2 ; g y 00 ðg 2 g 3 Þ y 00 ; v y 00 to the attacker. It responds to a challenge decryption-key-type query in the same way as O 0 .
Oracle O 5 The next oracle, which we will denote by O 5 , responds to queries as follows. Upon receiving a challenge decryption-key-type query for I, T 2 Z n , it chooses r, y 0 , r 0 , y 00 2 Z n randomly, and also chooses X 2 ; to the attacker. It responds to a ciphertext-type query and a challenge (H)IBE-key-type query in the same way as O 4 .
Oracle O 6 The next oracle, which we will denote by O 6 , responds to queries as follows. Upon receiving a ciphertext-type query for I Ã 2 Z n , it chooses t 2 Z n randomly and returns the group elements to the attacker. Upon receiving a ciphertext-type query for T Ã 2 Z n , it chooses t 0 2 Z n randomly and returns the group elements to the attacker. It responds to a decryption-type query and a challenge (H)IBE-key-type query in the same way as O 5 .
The last oracle, which we will denote by O 7 , responds to ciphertext-type queries in the same way as O 0 , and responds to a challenge decryption-key-type query for I, T 2 Z n , by choosing r, y 0 , r 0 , y 00 2 Z n randomly and returns the group elements ; v y 0 ðg 2 g 3 Þ y 0 s 1 ðu I hÞ r ; g r ; w y 00 0 ðg 2 g 3 Þ y 00 c 2 ; g y 00 ðg 2 g 3 Þ y 00 ; v y 00 to the attacker. It responds to a challenge (H)IBE-key-type query in the same way as O 6 . We define the advantage of an attacker A in distinguishing between O i and O j to be jPr½AðO i Þ ¼ 1 À Pr½AðO j Þ ¼ 1j. Here, we assume that A interacts with either O i or O j , and then outputs a bit 0 or 1 encoding its guess of which oracle it interacted with.

Strategy for the indistinguishability of G C 0 and G SF
0 0 . For the proof of the indistinguishability of G C 0 and G SF 0 , we cannot use the simple nested dual system in U-HIBE [11] that change a normal private key(or normal update key) to an ephemeral semi-fuctional private key(or semi-functional update key) one by one since the adversary of RHIBE can query a private key for ID| k 2 Prefix(ID Ã | l ) and an update key for T Ã .
To solve this problem, we firstly use a modular design strategy like [13] and construct the private keys and update keys from smaller component keys. A secret key SK ID| k consists of many HIBE private keys which are represented as {SK HIBE,S θ } S θ 2Path and an update key UK ID| k−1 ,T,R consists a randomized decryption key RSK HIBE and many IBE private keys {SK IBE,S i } S i 2CVR where each HIBE private key (or an IBE private key) is associated with a node S j in BT ID| k−1 . The HIBE and IBE private keys can be grouped together if they are related to the same node S j in BT ID| k−1 and a correct decryption key is constructed form the grouped (H)IBE private key.
To uniquely identify a node S j 2 BT ID| k−1 , we define a node identifier NID of this node as a string ID| k−1 ||L j where L j = Label(v j ). To prove the indistinguishability of G C 0 and G SF 0 0 , we change normal HIBE private keys and normal IBE private keys that are related to the same node identifier NID into (ephemeral) semi-functional keys by defining additional hybrid games. This additional hybrid games are performed for all node identifiers that are used in the key queries of the adversary.
Secondly, we give the equivalent model in which the challenger B answers the secret (update, and decryption) key queries of the adversery A by requesting the associated (H)IBE private keys from an oracle simulator O, shown in Fig 1. When the adversary A queries B for the secret key, update key or decryption key for some identity and some time period, B constructs the key by the (H)IBE-challenge-key or decryption-challenge-key it queries from the oracle simulator O. O adaptively answers B the corresponding group elements which it constructs by using the public paremeters given by some complexity assumption. Therefore, under the complexity assumptions, the oracle O i that O chooses to answer B is indistinguishable and consequently the adversary A cannot distinguish whether A is playing the real RHIBE game or other variation games based on all the answers A recieves after the adaptive queries to B.
For additional hybrid games that change HIBE private keys (or IBE private keys) that are related to the same node identifier NID = ID| k−1 ||L j from normal keys to semi-functional keys, Unbounded and revocable hierarchical identity-based encryption with adaptive security we need to define an index pair (i n , i c ) for an HIBE private key (or an IBE private key) that is related to the node v j 2 BT ID| k−1 where i n is a node index and i c is a counter index. Suppose that an HIBE private key (or an IBE private key) is related to a node NID. The node index i n for the HIBE private key (or the IBE private key) is assigned as follows: If the node v j 2 BT ID| k−1 with a node identifier NID appears first time in key queries, then we set in as the number of distinct node identifiers in previous key queries plus one. If the node identifier NID already appeared before in key queries, then we set i n as the value i 0 n of previous HIBE private key (or IBE private key) with the same node identifier. The counter index i c of an HIBE private key is assigned as follows: If the node identifier NID appears first time in HIBE private key queries, then we set i c as one. If the node identifier NID appeared before in HIBE private key queries, then we set i c as the number of HIBE private keys with the same node identifier that appeared before plus one. Similarly, we assigns the counter index i c of an IBE private key.
Thirdly, we divide the behavior of an adversary as two types: Type-1 and Type-2. We next show that the semi-functional key invariance property holds for two types of the adversary. Let ID Ã l be the challenge hierarchical identity and T Ã be the challenge time. For a challenge node v with the node index h in the hybrid games from Game C and Game SF , the adversary types are formally defined as follows: 1. Type-1: An adversary is Type-1 if it queries on a hierarchical identity IDj k = 2 PrefixðID Ã l Þ for all HIBE private keys with the node index h, and it queries on time T = T Ã for at least one IBE private key with the node index h.

Type-2:
An adversary is Type-2 if it queries on time T = 2 T Ã for all IBE private keys with the node index h. Note that it may query on a hierarchical identity ID| k 2 Prefix(ID Ã | l ) for at least one HIBE private key with h, or it may query on a hierarchical identity We prove our dual system encryption RHIBE scheme via a hybrid argument over the sequence of games in Table 3. For the different type of adversary, the squence of games is basicly the same except that: 1. For the Type-1 adversary, we prove the indistinguishability of G C 0 and G ESF 0 by the transition from G C 0 to G EK−S , and to G ESF 0 without the attacker's advantage changing by a nonnegligible amount.
2. For the Type-2 adversary, we prove the indistinguishability of G C 0 and G ESF 0 by the transition from G C 0 to G EK−U , and to G ESF 0 without the attacker's advantage changing by a nonnegligible amount.

Theorem 2 Under Assumptions 3 and 4, our dual system encryption RHIBE scheme has the equation
We will prove these indistinguishabilities between games and G SF 00 by going through several intermediary oracles. The main properties of our oracles are summarized in Tables 4 and 5 for the Type-1 adversary and Table 6 for the Type-2 adversary respectively. We intend these tables to be used only as a quick reference guide, not as a definition. We give a complete proof for the Type-1 adversary, and a brief explanation of the proof for the Type-2 adversary is demonstrated then.

Type-1 adversary.
As defined before, the Type-1 adversary is restricted to queries on a hierarchical identity IDj k = 2 PrefixðID Ã l Þ. By quering for all HIBE private keys with any node index h where the node is on the path from the root to the leaf node v ID| k in the tree BT ID| k−1 , the adversary derives the secret key of ID| k .
So we could show an information theoretic argument for the HIBE private keys from normal to ephemeral semi-functional HIBE keys, then to semi-functional HIBE keys. At the Table 4. Simulation of challenge keys and cipertext in oracles for the proof of the indistinguishability between G C 0 and G SF 0 0 under Type-1 adversary.

Oracle CT-Type Response SK-Type Response UK-Type Response DK-Type Response
Note: oracles marked with † initialize with an extra G p 3 term on g s g g 2 .
https://doi.org/10.1371/journal.pone.0195204.t004 Table 5. Defination of games between G ESF 0 and G SF 0 0 . Unbounded and revocable hierarchical identity-based encryption with adaptive security meanwhile, by adaptively transforming the types of IBE private keys sooner or later than the transformation of HIBE private keys, we avoid a potential paradox for the update keys. From the flollowing Lemma 1, to Lemma 20, we obtain the advantage of Type-1 adversary to distinguish between G C 0 and G SF 0 0 under Type-1 adversary as

Games Oracles Keys in Queries Challenge Ciphertext
We give the proof of those lemmas in Appendix.B.
(1) Indistinguishability of G C 0 and G E−S For the security proof of the indistinguishability of G C 0 and G E−S , we define a sequence of additional hybrid games G C 0 ,1 , . . ., G C 0 ,h , . . ., G C 0 ,q n , where G C 0 = G C 0 ,0 and q n is the number of all node identifiers that are used in HIBE private keys and IBE private keys of an adversary. In the game G C 0 ,h for 1 h q n , the challenge ciphertext is semi-functional, all IBE private keys are normal, HIBE private keys with a node index i n h are of ESF-2, the remaining HIBE private keys with a node index i n > h are normal.
Oracle O 1/2 This oracle initializes in the same way as O 0 , O 1 and provides the attacker with initial group elements from the same distribution. Upon receiving a challenge HIBE-key-type Table 6. Simulation of challenge keys and cipertext in oracles under Type-2 adversary for the proof of the indistinguishability between G C 0 and G SF 0 0 .

Oracle CT-Type Response SK-Type Response UK-Type Response DK-Type Response
query for I 2 Z n , it chooses r 0 , y 0 2 Z n randomly, and also chooses X 3 , Y 3 2 G p 3 randomly. It returns the group elements Let Adv be the advantage of A in a game G C 0 ,h . From the Lemma 1, 2, we obtain the following equation So we obtain the following equation (2) Indistinguishability of G E−S and G E−S 0 We now prove the indistinguishability of G E−S and G E−S 0 in a hybrid argument using polynomially many steps. We let q c denote the number of ciphertext-type queries made by a PPT attacker A. Firstly we define hybrid games The games are formally defined as follows: Game S k,1 This game S k,1 for 0 k q c is almost the same as G E−S except the generation of the challenge ciphertext. The challenge ciphertext of ðT Ã ; I Ã 1 ; . . . ; I Ã q c À 1 Þ is generated as EST-2 k -CT outputed by EncryptESF-2 k defined in AppendixA.
Game S k,2 This game S k,2 for 0 k q c − 1 is almost the same as G E−S except the generation of the challenge ciphertext. The challenge ciphertext of ðT Ã ; I Ã 1 ; . . . ; I Ã q c À 1 Þ is generated as EST-3 k -CT outputed by EncryptESF-3 k defined in AppendixA.
Game S k, 3 This game S k,3 for 0 k q c − 1 is almost the same as G E−S except the generation of the challenge ciphertext. The challenge ciphertext of ðT Ã ; I Ã 1 ; . . . ; I Ã q c À 1 Þ is generated as EST-4 k -CT outputed by EncryptESF-4 k defined in AppendixA.
We will define additional oracles O Ã i for each i from 0 to q c − 1, O 0 i for each i from 0 to q c − 1, and O 00 i for each i from 0 to q c − 1, to sample various distributions of group elements used for constructing the various types of ciphertexts in Game S k,1 , Game S k,2 and Game S k, 3 .
Oracle O Ã i This oracle initializes in the same way as O 1 , O 2 and provides the attacker with initial group elements from the same distribution. It also responds to challenge key-type queries in the same way as O 1 , O 2 . It keeps a counter of ciphertext-type queries which is initially equal to zero. It increments this counter after each response to a ciphertext-type query. In response to the jth ciphertext-type query for some i This oracle acts the same as O Ã i except in its response to the i th ciphertext-type query. For the i th ciphertext-type query for identity I Ã , it chooses a random t 2 Z N and random elements X 3 , Y 3 2 G p 3 and responds with: If i = 0, the i th ciphertext-type query is for time T Ã . It chooses a random t 0 2 Z N and random elements X 0 3 ; Y 0 3 2 G p 3 and responds with: Oracle O 00 i This oracle acts the same as O Ã i except in its response to the i th ciphertext-type query. For the i th ciphertext-type query for identity I Ã , it chooses a random t 2 Z N and random elements X 3 , Y 3 2 G p 3 and responds with: If i = 0, the i th ciphertext-type query is for time T Ã . It chooses a random t 0 2 Z N and random elements X 0 3 ; Y 0 3 2 G p 3 and responds with: A be the advantage of A in the games S k,1 , S k,2 and S k, 3 . From the Lemma 3, 4, 5, we obtain the following equation (3) Indistinguishability of G E−S 0 and G ESF 0 For the security proof of the indistinguishability of G E−S 0 and G ESF 0, we define a sequence of additional hybrid games G S 0 ,1 , . . ., G S 0 ,h , . . ., G S 0 ,q n , where G E−S 0 = G S 0 ,0 and q n is the number of all node identifiers that are used in HIBE private keys and IBE private keys of an adversary. In the game G S 0 ,h for 1 h q n , the challenge ciphertext is semi-functional, all IBE private keys are ESF-2, IBE private keys with a node index i n h are of ESF-2, the remaining HIBE private keys with a node index i n > h are normal.
Oracle O 5/2 This oracle initializes in the same way as O 2 , O 3 and provides the attacker with initial group elements from the same distribution. Upon receiving a challenge IBE-key-type query for T 2 Z n , it chooses r 0 , y 0 2 Z n randomly, and also chooses X 3 , Y 3 2 G p 3 randomly. It returns the group elements to the attacker. It responds to a ciphertext-type query or a challenge HIBE-key-type query in the same way as O 2 . We define hybrid games E 1,1 , E 1,2 , Á Á Á, E h c ,1 , H h c ,2 , . . ., E q s ,1 , E q s ,2 where E 0,2 = G S 0 ,h and E q e ,2 = G S 0 ,h+1 , and q e is the maximun number of IBE private key queries for the node index h. The games are formally defined as follows: Game E h c ,1 This game E h c ,1 for 1 h c q e is almost the same as G S 0 ,h except the generation of HIBE private keys and IBE private keys with the node index h. An HIBE private key with an index pair (h, i c ) is generated as ESF-2. An IBE private key with an index pair (h, i c ) is generated as follows: So we obtain the following equation (4) Indistinguishability of G ESF 0 and G SF 0 0 For the security proof of the indistinguishability of G ESF 0 and G SF 0 0 , we define a sequence of games G ESF 0 −1 , Á Á Á, G ESF 0 −5 to change the type of secret keys and update keys from ESF-2 to ESF-4 and the type of ciphertexts from ESF-1 to ESF-5 and G ESF 0 −6 , Á Á Á, G ESF 0 −8 to change the type of update keys to semi-functional and the type of ciphertexts back to semi-functional. In Table 5, we give the types of key in the queries and the challenge cipertext in every game, and the decryption situation according to the types of keys and ciphertexts. We firstly prove the indistinguishabilities between G ESF 0 to G ESF 0 −1 , G ESF 0 −1 to G ESF 0 −8 . And then we prove the indistinguishability of G ESF 0 −8 and G SF 0 0 . Indistinguishability of G ESF 0 and G ESF 0 −1 . For the security proof of the indistinguishability of G ESF 0 and G ESF 0 −1 , we define a sequence of games additional hybrid games G F 0 ,1 , . . ., G F 0 ,h , . . ., G F 0 ,q n , where G ESF 0 = G F 0 ,0 and q n is the number of all node identifiers that are used in HIBE private keys and IBE private keys of an adversary. In the game G F 0 ,h for 1 h q n , the challenge ciphertext is ESF-1, all IBE private keys are ESF-2, HIBE private keys with a node index i n h are of ESF-3, the remaining HIBE private keys with a node index i n > h are ESF-2.
Oracle O 3.1 This oracle initializes in the same way as O 3 and provides the attacker with initial group elements from the same distribution. Upon receiving a challenge HIBE-key-type query for I 2 Z n , it chooses r, y 0 2 Z n randomly, and also chooses X 2 , Y 2 2 G p 2 and X 3 , Y 3 2 G p 3 randomly. It returns the group elements to the attacker. It responds to a ciphertext-type query or a challenge IBE-key-type query in the same way as O 3 . We define games F 1 , Á Á Á, F h c , . . ., F q s where F 0 = G S 0 ,h and F q s = G S 0 ,h+1 , and q s is the maximun number of HIBE private key queries for the node index h. The games are formally defined as follows: Game F h c This game F h c for 1 h c q s is almost the same as G F 0 ,h except the generation of HIBE private keys and IBE private keys with the node index h. An IBE private key with an index pair (h, i c ) is generated as ESF-2. An HIBE private key with an index pair (h, i c ) is generated as follows: Indistinguishability of G ESF 0 −1 and G ESF 0 −2 . For the security proof of the indistinguishability of G ESF 0 −1 and G ESF 0 −2 , we define a sequence of games and q n is the number of all node identifiers that are used in HIBE private keys and IBE private keys of an adversary. In the game G F 0 −1,h for 1 h q n , the challenge ciphertext is ESF-1, all HIBE private keys are ESF-3, IBE private keys with a node index i n h are of ESF-3, the remaining HIBE private keys with a node index i n > h are ESF-2.
Oracle O 3.2 This oracle initializes in the same way as O 3.1 and provides the attacker with initial group elements from the same distribution. Upon receiving a challenge IBE-key-type query for T 2 Z n , it chooses r, y 0 2 Z n randomly, and also chooses X 2 , Y 2 2 G p 2 and X 3 , Y 3 2 G p 3 randomly. It returns the group elements to the attacker. It responds to a ciphertext-type query or a challenge HIBE-key-type query in the same way as O 3.1 . We define hybrid games Let Adv G F 0 À 1;h A be the advantage of A in a game G F 0 −1,h . From the Lemma 9, we obtain the following equation Indistinguishability of G ESF 0 −2 and G ESF 0 −3 . For the security proof of the indistinguishability of G ESF 0 −2 and G ESF 0 −3 , we define the oracle below.
Oracle O 3.3 This oracle initializes a bit differently from the other oracles. It fixes random elements g, u, h, v, w, u 0 , h 0 , v 0 , w 0 2 G p 1 , g 2 2 G p 2 , g 3 2 G p 3 . It chooses random exponents s; g; d 1 ; d 2 ; y; y 0 ; c; s 1 ; s 2 ; a 0 ; b 0 ; t 3 ; t 0 3 ; t 00 3 2 Z N . It initially provides the attacker with the group elements: ðg; u; h; v; w; g s ðg 2 g 3 Þ g ; w y ðg 2 g 3 Þ yc ; g y ðg 2 g 3 Þ y ; v y ðg 2 g 3 Þ ys 1 ; What differs from the previous oracles here is the added g g 3 and term: notice that this is uniformly random in G p 3 , since γ is random modulo p 3 (and uncorrelated from its value modulo p 2 ). This oracle answers the challenge-key type query in the same way as O 3.2 . To answer a ciphertext-type query for I, it chooses random values t 2 Z N and responds with: To answer a ciphertext-type query for T, it chooses random values t 2 Z N and responds with: It is crucial to note that these G p 3 terms arethe same for each ciphertext-type query response. From the Lemma 10, we obtain the following equation Indistinguishability of G ESF 0 −3 and G ESF 0 −4 : For the security proof of the indistinguishability of G ESF 0 −3 and G ESF 0 −4 , we define a sequence of games additional hybrid games G F 0 −3,1 , . . ., and q n is the number of all node identifiers that are used in HIBE private keys and IBE private keys of an adversary. In the game G F 0 −3,h for 1 h q n , the challenge ciphertext is ESF-5, all IBE private keys are ESF-3, HIBE private keys with a node index i n h are of ESF-4, the remaining HIBE private keys with a node index i n > h are ESF-3.
Oracle O 3.4 This oracle initializes in the same way with O 3.3 and provides the attacker the same initial elements as O 3.3 . This oracle answers the ciphertext-type query and IBE key-type query in the same way as O 3.3 . To answer a challenge HIBE private key type query for I, it chooses random values y, r 2 Z N , X 2 , Y 2 2 G p 2 randomly, and X 3 , Y 3 2 G p 3 and responds with: We define hybrid games F3 1 , Á Á Á, F3 h c , . . ., F3 q s where F3 0 = G F 0 −3,h and F3 q s = G F 0 −3,h+1 , and q s is the maximun number of HIBE private key queries for the node index h. The games are formally defined as follows: Game F3  Let Adv be the advantage of A in a game G F 0 −3,h . From the Lemma 11, we obtain the following equation Indistinguishability of G ESF 0 −4 and G ESF 0 −5 . For the security proof of the indistinguishability of G ESF 0 −4 and G ESF 0 −5 , we define a sequence of games additional hybrid games G F 0 −4,1 , . . ., and q n is the number of all node identifiers that are used in HIBE private keys and IBE private keys of an adversary. In the game G F 0 −4,h for 1 h q n , the challenge ciphertext is ESF-5, all HIBE private keys are ESF-4, IBE private keys with a node index i n h are of ESF-4, the remaining IBE private keys with a node index i n > h are ESF-3.
Oracle O 3.5 This oracle initializes in the same way with O 3.4 and provides the attacker the same initial elements as O 3.4 . This oracle answers the ciphertext-type query and HIBE keytype query in the same way as O 3.4 . To answer a challenge IBE private key type query for T, it chooses random values y, r 2 Z N , X 2 , Y 2 2 G p 2 randomly, and X 3 , Y 3 2 G p 3 and responds with: We define hybrid games Indistinguishability of G ESF 0 −5 and G ESF 0 −6 . For the security proof of the indistinguishability of G ESF 0 −5 and G ESF 0 −6 , we define the oracle below.
Oracle O 3.6 This oracle fixes random elements g, u, h, v, w, u 0 , h 0 , v 0 , w 0 2 G p 1 , g 2 2 G p 2 , g 3 2 G p 3 . It chooses random exponents s; g; d 1 ; d 2 ; y; y 0 ; c; s 1 ; s 2 ; a 0 ; b 0 ; t 3 ; t 0 3 ; t 00 3 2 Z N . It initially provides the attacker with the group elements: ðg; u; h; v; w; g s ðg 2 g 3 Þ g ; w y ðg 2 g 3 Þ yc ; g y ðg 2 g 3 Þ y ; v y ðg 2 g 3 Þ ys 1 ; What differs from the previous oracles here is the added g g 3 and term: notice that this is uniformly random in G p 3 , since γ is random modulo p 3 (and uncorrelated from its value modulo p 2 ). This oracle answers the challenge-key type query in the same way as O 3.2 . To answer a ciphertext-type query for I, it chooses random values t 2 Z N and responds with: To answer a ciphertext-type query for T, it chooses random values t 2 Z N and responds with: It is crucial to note that these G p 3 terms arethe same for each ciphertext-type query response. Lemma 13 Under Assumptions 4, no PPT attacker can distinguish between O 3.5 and O 3.6 with non-negligible advantage. So no PPT attacker can distinguish between G ESF 0 −5 and G ESF 0 −6 with non-negligible advantage.
From the Lemma 13, we obtain the following equation Indistinguishability of G ESF 0 −6 and G ESF 0 −7 . For the security proof of the indistinguishability of G ESF 0 −6 and G ESF 0 −7 , we define a sequence of games G F 0 −6,1 , . . ., G F 0 −6,h , . . ., G F 0 −6,q n , where G ESF 0 −6 = G F 0 −6,0 and q n is the number of all node identifiers that are used in HIBE private keys and IBE private keys of an adversary. In the game G F 0 −6,h for 1 h q n , the challenge ciphertext is ESF-1, all HIBE private keys are ESF-4, IBE private keys with a node index i n h are semi-functional, the remaining IBE private keys with a node index i n > h are ESF-4.
Oracle O 7/2 0 This oracle initializes in the same way as O 3.6 and provides the attacker with initial group elements from the same distribution. Upon receiving a challenge IBE-key-type query for T 2 Z n , it chooses r, y 0 2 Z n randomly, and also chooses X 2 , Y 2 2 G p 2 and X 3 , Y 3 2 G p 3 randomly. It returns the group elements to the attacker. It responds to a ciphertext-type query or a challenge HIBE-key-type query in the same way as O 3.6 .
We define hybrid games F6 Oracle e O Ã i This oracle initializes in the same way as O Ã i , and provides the attacker with initial group elements from the same distribution. It also responds to a ciphertext-type query as same as O Ã i . It responds to a HIBE-key-type query in the same way as O 3.6 . Upon receiving a challenge IBE-key-type query for T 2 Z n , it chooses r, y 0 2 Z n randomly, and returns the group elements Indistinguishability of G ESF 0 −7 and G ESF 0 −8 . We now prove the indistinguishability of G ESF 0 −7 and G ESF 0 −8 in a hybrid argument using polynomially many steps. We let q c denote the number of ciphertext-type queries made by a PPT attacker A. Firstly we define hybrid games S 0 À 1;1 ; S 0 0;2 ; S 0 0;3 ; S 0 0;1 , S 0 1;2 ; S 0 1;3 ; S 0 1;1 . . ., S 0 k;2 ; S 0 k;3 ; S 0 k;1 ; . . . ; S 0 q c À 1;2 ; S 0 q c À 1;3 ; S 0 q c À 1;1 , where S 0 À 1;1 ¼ G ESF 0 À 7 and S 0 q c À 1;1 ¼ G ESF 0 À 8 . The games are formally defined as follows: Game S 0 k;1 This game S 0 k;1 for 0 k q c is almost the same as G ESF 0 −7 except the generation of the challenge ciphertext. The challenge ciphertext of ðT Ã ; I Ã 1 ; . . . ; I Ã q c À 1 Þ is generated as EST-2 k -CT outputed by EncryptESF-2 k . Game S 0 k;2 This game S 0 k;2 for 0 k q c − 1 is almost the same as G ESF 0 −7 except the generation of the challenge ciphertext. The challenge ciphertext of ðT Ã ; I Ã 1 ; . . . ; I Ã q c À 1 Þ is generated as EST-3 k -CT outputed by EncryptESF-3 k .
Game S 0 k;3 This game S 0 k;3 for 0 k q c − 1 is almost the same as G ESF 0 −7 except the generation of the challenge ciphertext. The challenge ciphertext of ðT Ã ; I Ã 1 ; . . . ; I Ã q c À 1 Þ is generated as EST-4 k -CT outputed by EncryptESF-4 k . We Indistinguishability of G ESF 0 −8 and G SF 0 0 . For the security proof of the indistinguishability of G ESF 0 −8 and G SF 0 0 , we define a sequence of games G F 0 −8,1 , . . ., G F 0 −8,h , . . ., G F 0 −8,q n , where G ESF 0 −8 = G F 0 −8,0 and q n is the number of all node identifiers that are used in HIBE private keys and IBE private keys of an adversary. In the game G F 0 −8,h for 1 h q n , the challenge ciphertext is semi-functional, all IBE private keys are semi-functional, HIBE private keys with a node index i n h are semi-functional, the remaining HIBE private keys with a node index i n > h are ESF-4.
Oracle O 7/2 This oracle initializes in the same way as e O Ã 0 and provides the attacker with initial group elements from the same distribution. Upon receiving a challenge HIBE-key-type query for I 2 Z n , it chooses r, y 0 2 Z n randomly, and also chooses X 2 , Y 2 2 G p 2 and X 3 , Y 3 2 G p 3 randomly. It returns the group elements ðw y 0 ðg 2 g 3 Þ y 0 c ; g y 0 ðg 2 g 3 Þ y 0 ; v y 0 ðu I hÞ r X 2 X 3 ; g r Y 3 Þ ð51Þ to the attacker. It responds to a ciphertext-type query or a challenge IBE-key-type query in the same way as e O Ã 0 . We define hybrid games I 1,1 , I 1,2 , Á Á Á, I h c ,1 , I h c ,2 , . . ., I q s ,1 , I q s ,2 where I 0,2 = G F 0 −8,h and I q s ,2 = G F 0 −8, h+1 , and q s is the maximun number of HIBE private key queries for the node index h. The games are formally defined as follows: Game I h c ,1 This game I h c ,1 for 1 h c q s is almost the same as G F 0 −8,h except the generation of HIBE private keys and IBE private keys with the node index h. An IBE private key with an index pair (h, i c ) is generated as a semi-functional key. An HIBE private key with an index pair (h, i c ) is generated as follows: So we obtain the following equation According to the equations Eqs 23, 28, 30, 53, we obtain the following equation The proof strategy for the indistinguishabilities between games G C 0 to G EK−U , and to G ESF 0 under the Type-2 adversary is by going through several intermediary oracles in Table 6, where the type settings of the update keys and the secret keys in every oracle and game respectively are swaped compared to the setting in Sec.4.4.2. The proof of every respective lemma is similar to the proof for the Type-1 adversary, and finally we obtain the advantage between G C 0 and G ESF 0 under the Type-2 adversary as same in Eq 54.

Indistinguishability of G SF 00 and G SF 0
In the game G SF 0 0 , the type of ciphertexts, secret keys and update keys are all semi-functional, except the decryption keys are normal. In this section, we give the proof of the indistinguishability of G SF 0 0 and G SF 0 via a hybrid argument over the sequence of games G SF 0 0 , G E−D , G ESF and G SF 0 to transform the type of decryption keys from normal to ephemeral semi-functional, and then to semi-functional.
The hybrid argument we conduct for the indistinguishability of G SF 0 0 and G SF 0 is following the process similar to the argument for the indistinguishability of G C 0 and G SF 0 0 . But it is simpler since the transformation of challenge type only happens to the decryption keys and the challenge ciphertexts. So we just treat the decryption keys as a secret key of the identity (T, id 1 , Á Á Á, id j ) and follow the proof strategy in the nested dual system encryption of the unbounded HIBE [12].
We show the oracles for proving the the indistinguishability of G SF 00 and G SF 0 in Table 7 which answer queries from the challenger B by sampling various distributions of group elements to construct the decryption keys, challenge ciphertexts and also the secret keys and update keys.
Since these oracles initially provide the attacker with a description of the group G, as well as the group elements g; u; v; w; g s g g 2 ; w y ðg 2 g 3 Þ yc ; g y ðg 2 g 3 Þ y ; v y ðg 2 g 3 Þ ys ; So the simulation of semi-functional secret keys and update keys are achievable in all oracles and games.
(1) Indistinguishability of G SF 0 0 and G E−D For the security proof of the indistinguishability of G SF 0 0 and G E−D , we define a sequence of additional hybrid games J 1,1 , J 1,2 , Á Á Á, J h d ,1 , J h d ,2 , . . ., J q d ,1 , J q d ,2 where J 0,2 = G SF 0 0 and J q d ,2 = G E−D , and q d is the number of decryption key queries of an adversary. The games and a additional oracle O 9/2 used in the proof are formally defined as follows: Oracle O 9/2 This oracle initializes in the same way as O 4 , O 5 and provides the attacker with initial group elements from the same distribution. Upon receiving a challenge decryptionkey-type query for I, T 2 Z n , it chooses r, y 0 , r 0 , y 00 2 Z n randomly, and also chooses It returns the group elements ðw y 0 ; g y 0 ; v y 0 ðu I hÞ r X 3 ; g r Y 3 ; w y 00 0 ; g y 00 ; v y 00 Note: oracles marked with † initialize with an extra G p 3 term on g s g g 2 . https://doi.org/10.1371/journal.pone.0195204.t007 Unbounded and revocable hierarchical identity-based encryption with adaptive security

Lemma 22 Under Assumptions 4, no PPT attacker can distinguish between O 9/2 and O 5 with non-negligible advantage. So no PPT attacker can distinguish between J h d ,1 and J h d ,2 with nonnegligible advantage.
From the Lemma 21, 22, we obtain the following equation (2) Indistinguishability of G E−D and G ESF We now prove the indistinguishability of G E−D and G ESF in a hybrid argument using polynomially many steps. We let q c denote the number of ciphertext-type queries made by a PPT attacker A. Firstly we define hybrid games L −1,1 , L 0,2 , L 0,3 , L 0,1 , L 1,2 , L 1,3 , L 1,1 Á Á Á, L k,2 , L k,3 , L k,1 , . . ., L q c −1,2 , L q c −1,3 , L q c −1,1 , where L −1,1 = G E−D and L q c −1,1 = G ESF . The games are formally defined as follows: Game L k,1 This game L k,1 for 0 k q c is almost the same as G E−D except the generation of the challenge ciphertext. The challenge ciphertext of ðT Ã ; I Ã 1 ; . . . ; I Ã q c À 1 Þ is generated as EST-2 k -CT outputed by EncryptESF-2 k .
Game L k,2 This game L k,2 for 0 k q c − 1 is almost the same as G E−D except the generation of the challenge ciphertext. The challenge ciphertext of ðT Ã ; I Ã 1 ; . . . ; I Ã q c À 1 Þ is generated as EST-3 k -CT outputed by EncryptESF-3 k .
Game L k, 3 This game L k,3 for 0 k q c − 1 is almost the same as G E−D except the generation of the challenge ciphertext. The challenge ciphertext of ðT Ã ; I Ã 1 ; . . . ; I Ã q c À 1 Þ is generated as EST-4 k -CT outputed by EncryptESF-4 k .
We will define additional oracles O Ã i for each i from 0 to q c − 1, O 0 i for each i from 0 to q c − 1, and O 00 i for each i from 0 to q c − 1.

Oracle
O Ã i This oracle initializes in the same way as O 5 , O 6 and provides the attacker with initial group elements from the same distribution. It also responds to challenge key-type queries in the same way as O 5 , O 6 . It keeps a counter of ciphertext-type queries which is initially equal to zero. It increments this counter after each response to a ciphertext-type query. In response to the j th ciphertext-type query for some I Ã j , if j i, it responds exactly like O 6 . If j > i, it responds exactly like O 5 . In particular, O 0 i This oracle acts the same as O Ã i except in its response to the i th ciphertext-type query. For the i th ciphertext-type query for identity I Ã , it chooses a random t 2 Z N and random elements X 3 , Y 3 2 G p 3 and responds with: If i = 0, the i th ciphertext-type query is for time T Ã . It chooses a random t 0 2 Z N and random elements X 0 3 ; Y 0 3 2 G p 3 and responds with: Oracle O 00 i This oracle acts the same as O Ã i except in its response to the ith ciphertext-type query. For the i th ciphertext-type query for identity I Ã , it chooses a random t 2 Z N and random elements X 3 , Y 3 2 G p 3 and responds with: If i = 0, the i th ciphertext-type query is for time T Ã . It chooses a random t 0 2 Z N and random elements X 0 3 ; Y 0 3 2 G p 3 and responds with: From the Lemma 23, 24, 25, we obtain the following equation (

3) Indistinguishability of G ESF and G SF 0
For the security proof of the indistinguishability of G ESF and G SF 0 , we define a sequence of games G ESF−1 , G ESF−2 , G ESF−3 to change the type of decryption keys from ESF-2 to ESF-4 and the type of ciphertexts from ESF-1 to ESF-5 and G ESF−4 , G ESF−5 , G ESF−6 to change the type of decryption keys to semi-functional and the type of ciphertexts back to semi-functional. In Table 8, we give the types of key in the queries and the challenge cipertext in every game, and the decryption situation according to the types of keys and ciphertexts.   Unbounded and revocable hierarchical identity-based encryption with adaptive security We firstly prove the indistinguishabilities between G ESF to G ESF−1 , G ESF−1 to G ESF−5 . And then we prove the indistinguishability of G ESF−5 and G SF 0 .
Indistinguishability of G ESF and G ESF−1 . For the security proof of the indistinguishability of G ESF and G ESF−1 , we define games G F,1 , Á Á Á, G F,h d , . . ., G F,q d where G F,0 = G ESF and G F,q d = G ESF−1 , and q d is the number of decryption key queries of an adversary. In the game G F,h for 1 h q d , the challenge ciphertext is ESF-1, all (H)IBE private keys are semi-functional, the i st queried decryption key where i h are of ESF-3, the remaining decryption keys with i > h are ESF-2.
Oracle O 6.1 This oracle initializes in the same way as O 6 and provides the attacker with initial group elements from the same distribution. Upon receiving a challenge decryptionkey-type query for I, T 2 Z n , it chooses r, y 0 , r 0 , y 00 2 Z n randomly, and also chooses It returns the group elements w y 00 0 g y 00 c 2

3
; g y 00 g y 00 to the attacker. It responds to a ciphertext-type query or a challenge (H)IBE-key-type query in the same way as O 6 .

Lemma 26 Under Assumptions 3, no PPT attacker can distinguish between O 6 and O 6.1 with non-negligible advantage. So no PPT attacker can distinguish between G F,h d −1 and G F,h d with non-negligible advantage.
Let Adv be the advantage of A in a game G F 0 ,h . From the Lemma 27, we obtain the following equation Indistinguishability of G ESF−1 and G ESF−2 . For the security proof of the indistinguishability of G ESF−1 and G ESF−2 , we define the oracle below.
Oracle O 6.2 This oracle initializes a bit differently from the other oracles. It fixes random elements g, u, h, v, w, u 0 , h 0 , v 0 , w 0 2 G p 1 , g 2 2 G p 2 , g 3 2 G p 3 . It chooses random exponents s; g; d 1 ; d 2 ; y; y 0 ; c; s 1 ; s 2 ; a 0 ; b 0 ; t 3 ; t 0 3 ; t 00 3 2 Z N . It initially provides the attacker with the group elements: ðg; u; h; v; w; g s ðg 2 g 3 Þ g ; w y ðg 2 g 3 Þ yc ; g y ðg 2 g 3 Þ y ; v y ðg 2 g 3 Þ ys 1 ; What differs from the previous oracles here is the added g g 3 and term: notice that this is uniformly random in G p 3 , since γ is random modulo p 3 (and uncorrelated from its value modulo p 2 ). This oracle answers the challenge-key type query in the same way as O 6.1 . To answer a ciphertext-type query for I, it chooses random values t 2 Z N and responds with: To answer a ciphertext-type query for T, it chooses random values t 2 Z N and responds with: It is crucial to note that these G p 3 terms arethe same for each ciphertext-type query response.

Lemma 27 Under Assumptions 4, no PPT attacker can distinguish between O 6.1 and O 6.2 with non-negligible advantage. So no PPT attacker can distinguish between G ESF−1 and G ESF−2 with non-negligible advantage.
From the Lemma 27, we obtain the following equation Indistinguishability of G ESF−2 and G ESF−3 : For the security proof of the indistinguishability of G ESF−2 and G ESF−3 , we define a sequence of games additional hybrid games G F−2,1 , . . .,  G F−2,h , . . ., G F−2,q d , where G ESF−2 = G F−2,0 and q d is the number of decryption key queries of an adversary. In the game G F−2,h for 1 h q d , the challenge ciphertext is ESF-5, all (H)IBE private keys are semi-functional, the i st queried decryption key where i h are of ESF-4, the remaining decryption keys with i > h are ESF-3.
Oracle O 6.3 This oracle initializes in the same way with O 6.2 and provides the attacker the same initial elements as O 6.2 . This oracle answers the ciphertext-type query and (H)IBE keytype query in the same way as O 6.2 . To answer a challenge decryption key type query for I, I, it chooses random values y; r; y 0 ; r 0 2 Z N ; X 2 ; Y 2 ; X 0 2 ; Y 0 2 2 G p 2 randomly, and X 3 ; Y 3 ; X 0 3 ; Y 0 3 2 G p 3 and responds with:

Lemma 28 Under Assumptions 4, no PPT attacker can distinguish between O 6.2 and O 6.3 with non-negligible advantage. So no PPT attacker can distinguish between G F−2,h and G F−2,h+1 with non-negligible advantage.
Let Adv G FÀ 2;h A be the advantage of A in a game G F−2,h . From the Lemma 28, we obtain the following equation Indistinguishability of G ESF−3 and G ESF−4 . For the security proof of the indistinguishability of G ESF−3 and G ESF−4 , we define the oracle below.
Oracle } O Ã i This oracle initializes in the same way as O Ã i , and provides the attacker with initial group elements from the same distribution. It also responds to a ciphertext-type query as same as O Ã i . It responds to the decryption-key-type and (H)IBE-key-type queries in the same way as O 6.3 .

Lemma 29 Under Assumptions 4, no PPT attacker can distinguish between O 6.3 and } O Ã q c with non-negligible advantage. So no PPT attacker can distinguish between G ESF−3 and G ESF−4 with non-negligible advantage.
From the Lemma 29, we obtain the following equation Indistinguishability of G ESF−4 and G ESF−5 . We now prove the indistinguishability of G ESF−4 and G ESF−5 in a hybrid argument using polynomially many steps. We let q c denote the number of ciphertext-type queries made by a PPT attacker A. . . . ; I Ã q c À 1 Þ is generated as EST-2 k -CT outputed by EncryptESF-2 k . Game L 0 k;2 This game L 0 k;2 for 0 k q c − 1 is almost the same as G ESF−4 except the generation of the challenge ciphertext. The challenge ciphertext of ðT Ã ; I Ã 1 ; . . . ; I Ã q c À 1 Þ is generated as EST-3 k -CT outputed by EncryptESF-3 k .
Game L 0 k;3 This game L 0 k;3 for 0 k q c − 1 is almost the same as G ESF−4 except the generation of the challenge ciphertext. The challenge ciphertext of ðT Ã ; I Ã 1 ; . . . ; I Ã q c À 1 Þ is generated as EST-4 k -CT outputed by EncryptESF-4 k .
We will define additional oracles } O 0 i for each i from 0 to q c − 1, and } O 00 i for each i from 0 to q c − 1.
Oracle A be the advantage of A in the games L 0 k;1 , L 0 k;2 and L 0 k;3 . From the Lemma 30, 31, 32, we obtain the following equation Indistinguishability of G ESF−5 and G SF 0 . For the security proof of the indistinguishability of G ESF−5 and G SF 0 , we define hybrid games J 0 and q d is the number of decryption key queries of an adversary. The oracle and games are formally defined as follows: Oracle O 13/2 This oracle initializes in the same way as } O Ã 0 and provides the attacker with initial group elements from the same distribution. Upon receiving a challenge decryptionkey-type query for I, T 2 Z n , it chooses r, y 0 , r 0 , y 00 2 Z n randomly, and also chooses X 2 ; Y 2 ; X 0 2 ; Y 0 2 2 G p 2 and X 3 ; Y 3 ; X 0 3 ; Y 0 3 2 G p 3 randomly. It returns the group elements ðw y 0 ðg 2 g 3 Þ y 0 c 1 ; g y 0 ðg 2 g 3 Þ y 0 ; v y 0 ðu I hÞ r X 2 X 3 ; g r Y 3 ; w y 00 0 ðg 2 g 3 Þ y 00 c 2 ; g y 00 ðg 2 g 3 Þ y 00 ; v y 00 So we obtain the following equation According to the equations Eqs 56, 61, 73, we obtain the following equation

Lemma 35
Under Assumptions 3 and 4, for any PPT attacker A, the difference in A's advantage between G θ and G θ 0 is negligible, where θ 2 {C, SF}. Proof We suppose there exists a PPT attacker A and a symbol of θ 2 {C, SF} such that A's advantage changes non-negligibly between Game RHIBE θ and Game RHIBE θ 0 . We will either create a PPT algorithm B that breaks Assumption 3 with non-negligible advantage or a PPT algorithm B that breaks Assumption 4 with non-negligible advantage.
While playing Game RHIBE θ under Type-1 adversary, A produces two values I, I 0 2 Z n which are unequal modulo n but are equal modulo p 3 , with non-negligible probability. We let A denote gcd(I − I 0 , n), and we let B denote n/A. We then have that p 3 divides A, and B 6 ¼ 1.
While playing Game RHIBE θ under Type-2 adversary, A produces two values T, T 0 2 Z n which are unequal modulo n but are equal modulo p 3 , with non-negligible probability. We let A denote gcd(T − T 0 , n), and we let B denote n/A. We then have that p 3 divides A, and B 6 ¼ 1.
We consider two possible cases: 1) p 1 divides B and 2) A = p 1 p 3 , B = p 2 . At least one of these cases must occur with non-negligible probability.
If case 1) occurs with non-negligible probability, we can create a B which breaks Assumption 3 with non-negligible advantage. B receives g, g 2 , X 1 X 3 , T. It can use these terms to simulate Game RHIBE β with A as follows. It picks values a, b, c, d, a 0 and gives A the following public parameters: We note that B knows the master secret key α, so it can easily make normal secret keys, normal update keys and normal decryption keys. Since B also knows g 2 , it can easily make semifunctional ciphertexts. So B can play Game RHIBE C and Game RHIBE C 0 with A.
To make the three kinds of semi-functional keys, B uses X 1 , X 3 and g 2 . More precisely, to make a semi-functional decryption key for T and (I 1 , Á Á Á, I j ), it also chooses random values y 1 ; Á Á Á ; y jÀ 1 ; y 0 j ; r 0 ; r 1 ; Á Á Á . . . ; r j 2 Z n . It forms the decryption key as: To make the semi-functional update key of (I 1 , Á Á Á, I j−1 ) and T for each θ with its value γ θ in KUNode(BT ID| j−1 , T, RL ID| j−1 ), B chooses random values y 1;y ; Á Á Á ; y jÀ 2;y ; y 0 0;y ; r 0;y ; r 1;y ; Á Á Á ; r jÀ 1;y 2 Z n . B forms the challenge update key for A as: To make the semi-functional secret key of (I 1 , Á Á Á, I j ) and T for each θ with its value γ θ in Path(ID| j ), B chooses random values y 1;y ; Á Á Á ; y jÀ 1;y ; y 0 j;y ; r 1, θ , Á Á Á, r j, θ 2 Z n . B forms the challenge secret key for A as: K i;0 ¼ g l i w y i;y ; K i;1 ¼ g y i;y ; K i;2 ¼ g r i;y ; K i;3 ¼ ðu I i hÞ r i;y v y i;y ; i 2 f1; Á Á Á ; j À 1g So B can play Game RHIBE SF and Game RHIBE SF 0 with A. Now, if A fails to produce I, I 0 or T, T 0 such that gcd(I − I 0 , n) = A or gcd(T − T 0 , n) = A is divisible by p 3 and p 1 divides B = n/A, then B guesses randomly. However, with non-negligible probability, A will produce such an I, I 0 or T, T 0 . B can detect this by computing A = gcd(I − I 0 , n) or A = gcd(T − T 0 , n) and B = n/A, checking that g B is the identity element (this will occur only if p 1 divides B since g has order p 1 in G) and checking that (X 1 X 3 ) B 6 ¼ 1 (this confirms that p 3 does not divide B, hence it must divide A). When B detects this situation, it can test whether T 2 G p 1 or T 2 G p 1 p3 by testing if T B is 1. If T B = 1 holds, then T 2 G p 1 . If T B 6 ¼ 1, then T 2 G p 1 p3 . Thus, B achieves non-negligible advantage in breaking Assumption 3.
If case 2) occurs with non-negligible probability, we can create a B which breaks Assumption 4 with non-negligible advantage. B receives g, g 3 , X 1 X 2 , Y 2 Y 3 , T. It can use these terms to simulate Game RHIBE θ with A as follows. It gives A the public parameters like in the case 1. We note that B knows the master secret key α, so it can easily make normal keys.
To make a semi-functional ciphertext for T and ðI Ã 1 ; Á Á Á ; I Ã l Þ and message M, B chooses random values t 0 , t 1 , Á Á Á, t l 2 Z n and forms the ciphertext as: We note that this will set σ 1 = c 1 modulo p 2 and σ 2 = c 2 modulo p 2 . To make a semi-functional decryption key for (I 1 , Á Á Á, I j ), B chooses random values y 0 , y 1 , Á Á Á, y j , r 0 , r 1 , Á Á Á, r j 2 Z n . It forms the key as: To make the semi-functional update key of (I 1 , Á Á Á, I j−1 ) and T for each θ with its value γ θ in KUNode(BT ID| j−1 , T, RL ID| j−1 ), B chooses random values y 0,θ , y 1,θ , Á Á Á, y j−1,θ , r 0,θ , r 1,θ , Á Á Á, r j−1,θ 2 Z n . B forms the challenge update key for A as: To make the semi-functional secret key of (I 1 , Á Á Á, I j ) and T for each θ with its value γ θ in Path(ID| j ), B chooses random values y 1,θ , Á Á Á, y j,θ , r 1,θ , Á Á Á, r j,θ 2 Z n . B forms the challenge secret key for A as: l i w y j;y ðY 2 Y 3 Þ y j;y c 1 ; K j;1 ¼ g y j;y ðY 2 Y 3 Þ y j;y ; K j;2 ¼ g r j;y ; We note that the semi-functional ciphertext and keys are well-distributed, and share the common value of σ 1 = c 1 modulo p 2 and σ 2 = c 2 modulo p 2 as required. We note that the G p 2 terms on the ciphertext are random because the value of d modulo p 2 and d 0 modulo p 2 does not appear elsewhere. Now, if A fails to produce I, I 0 such that gcd(I − I 0 , n) = A or T, T 0 such that gcd(T − T 0 , n) = A, where A = p 1 p 3 and B = p 2 , then B guesses randomly. However, with non-negligible probability, A will produce such an I, I 0 or T, T 0 . B can detect this by computing A, B and testing that g B and g B 3 are not the identity element (this confirms that B = p 2 , since it demonstrates the p 1 and p 3 do not divide B). Now, B can learn whether T has a G p 2 component or not by testing if T A is the identity element or not. If it is not, then T has a G p 2 component. Thus, B achieves non-negligible advantage in breaking Assumption 4.

Lemma 36
If the Assumption 1 holds, then no polynomial-time adversary can distinguish G Real and G C . Proof. We assume there is a PPT attacker A such that A achieves a non-negligible difference in advantage between Game G Real and Game G C . We will create a PPT algorithm B which breaks Assumption 1 with non-negligible advantage. B is given g 2 G p 1 and T. B chooses a, b, c,  d, a 0 It gives the public parameters to A. Since B knows the master secret key α, it can respond to A's key requests by calling the key generation update and derive algorithm and giving A the resulting keys. At some point, A provides two messages M 0 , M 1 and requests the challenge ciphertext for some identity vector, denoted by ðI 1 Ã ; . . . ; I l Ã Þ at the time T Ã . B forms the ciphertext as follows. It chooses t 0 , t 1 , . . .t l randomly from Z p and β randomly from {0, 1} and sets: This implicitly sets g s equal to the G p 1 part of T. If T 2 G p 1 , then this is a well-distributed normal ciphertext, and B has properly simulated Game G Real . If T 2 G p 1 p2 , then this is a well-distributed semi-functional ciphertext (since the values of d modulo p 2 and d 0 modulo p 2 are uncorrelated from their values modulo p 1 by the Chinese Remainder Theorem). Hence, B has properly simulated Game G C in this case. Thus, B can use the output of A to achieve a nonnegligible advantage against Assumption 1.

Indistinguishability of G SF and G Final
Lemma 37 If the Assumption 2 holds, then no polynomial-time adversary can distinguish G SF and G Final . Proof We suppose there exists a PPT attacker A who achieves a non-negligible advantage in Game RHIBE SF . We will create a PPT algorithm B which has a non-negligible advantage against Assumption 2.
B receives g, g 2 , g 3 , g α X 2 , g s Y 2 , T. It chooses a, b, c, d, a 0 , b 0 , c 0 , d 0 randomly from Z p and It gives the public parameters to A. We note that B does not know the master secret key α. For a secret key query for (I 1 , Á Á Á, I k ), B will create a semi-functional secret key as follows. It chooses f 1 randomly and ðg g y À Q kÀ 1 i¼1 l i w b j;y ðg 2 g 3 Þ f 1 ðdþ1Þ ; g b i;y ðg 2 g 3 Þ f 1 ; g r i;y ; ðu I i hÞ ( This is a well-distributed semi-functional secret key with ψ 1,θ = d + 1, σ 1,θ = c(mod p 2 p 3 ) and y 1 = f 1 (mod p 2 p 3 ). Notice that y 1 is freshly random modulo p 2 and p 3 for each key, while σ 2,θ , ψ 2,θ are the same for all update keys.
For an update key query for (I 1 , Á Á Á, I j−1 ) and T, B generates a semi-functional update key as follows. It chooses r 1;y ; . . . ; r j;y ; b 1;y ; . . . ; b jÀ 1;y ; b 0 0;y 2 Z p randomly for each node θ 2 KUNode (BT ID j−1 ) and f 2 randomly. And it will implicitly set b 0;y ¼ ðb 0 0;y þ aÞ mod p 1 . The semi-functional update key is formed as UK ID| j−1 ,T = ({θ, TUK θ } θ2KUNode ) and TUK y ¼ ðfU i;0 ; U i;1 ; U i;2 ; U i;3 g jÀ 1 i¼0 Þ: This is a well-distributed semi-functional update key with ψ 2,θ = d 0 + 1, σ 2,θ = c 0 (mod p 2 p 3 ) and Notice that y 2 is freshly random modulo p 2 and p 3 for each update key, while σ 2,θ , ψ 2,θ are the same for all update keys. In response to a decryption key query for (I 1 , Á Á Á, I j ) and T. B generates the semi-functional secret key and the semi-functional update key at first, and derives an semi-functional decryption key which is formed as This is a well-distributed semi-functional decryption key. At some point, A provides B with two messages M 0 , M 1 , a challenge identity vector ðI Ã 1 ; Á Á Á ; I Ã l Þ and a challenge time T Ã . B creates the challenge ciphertext as follows. It chooses t 1 ; Á Á Á ; t l ; d 0 1 ; d 0 2 randomly from Z n and β randomly from {0, 1} and sets: If T = e(g, g) αs , this is a well-distributed semi-functional encryption of M β with Notice that d 0 1 and d 0 2 randomize these so that there is no correlation with d or d 0 modulo p 2 . Hence this is uncorrelated from the exponents modulo p 2 of the semi-functional keys. In this case, B has properly simulated Game RHIBE SF .
If T is a random element of G T , then this is a semi-functional encryption of a random message, and hence the ciphertext contains no information about β. In this case, the advantage of A must be zero. Since we have assumed the advantage of A is non-negligible in Game RHI-BE SF , B can use the output of A to obtain a non-negligible advantage against Assumption 2.
This completes the proof of Theorem 1.

Conclusion
In this paper, we propose a RHIBE scheme by combining the unbounded LW-(H)IBE and the CS method in a modular way in composite bilinear groups. Moreover, our construction has the advantages of decryption key exposure resistance and short system public parameters. Since neither the naive dual system encryption for bounded RHIBEs nor the naive nested dual system encryption for unbounded HIBEs work in our unbounded RHIBE, we carefully redesign the hybrid games to show the information theoretic arguments successfully in the dual system encryption framework. Our RHIBE is the first unbounded RHIBE scheme that achieves the adaptive security.

A Defination of the ephemeral semi-functional ciphertexts and keys
In the defination of the first type of ephemeral semi-functional ciphertext, we add G p 2 term on every element of all ciphertext-element-groups. We define a sequence of type-2 ephemeral semi-functional ciphertexts with the index 0 k l, every element of the first k − 1 ciphertext-element-groups is in G p 1 p2 , and only the first elements of the rest of ciphertext-elementgroups are added by G p 2 terms. In the defination of the third type of ephemeral semi-functional ciphertext, every element of the first i − 1 ciphertext-element-groups is in G p 1 p2 ; for the i st ciphertext-element-group, the first element is in G p 1 p2p3 , its rest elements are in G p 1 p3 ; and for the rest ciphertext-element-groups, we add G p 2 terms on the first elements of them. In the defination of the fourth type of ephemeral semi-functional ciphertext, every elements of the first i − 1 ciphertext-element-groups are in G p 1 p2 , every elements of the i st ciphertext-element-group are in G p 1 p2p3 , and for the rest ciphertext-element-groups, we add G p 2 terms on the first elements of them. In the defination of the fifth type of ephemeral semi-functional ciphertext, every element of all ciphertext-element-groups is in G p 1 p2p3 . ; kÞ ! f CT EÀ 2 k It chooses γ, δ 1 , δ 2 , a 0 , b 0 , and random t 0 , . . ., t k 2 Z n . It forms the first two elements and the first k element-groups of ESF-2 k -CT as same as of ESF-1-CT, and the rest element-groups of ESF-2 k -CT as same as of SF-CT.

EncryptESF
EncryptESF-3 k ðIDj j ; T; M; PP; s 1 ; s 2 ; kÞ ! f CT EÀ 3 k It chooses γ, δ 1 , δ 2 , a 0 , b 0 , and random t 0 , . . ., t k 2 Z n , random X 3 , Y 3 2 G p 3 . It forms the first two elements and the first k − 1 elementgroups of ESF-3 k -CT as same as of ESF-1-CT, and the k st element-group of ESF-3 k -CT as . . t 000 j 2 Z n . It forms the first two elements of f CT EÀ 5 as C; C 0 Á g g 2 , and forms the element-groups of ESF-5-CT as In the defination of the first type of ephemeral semi-functional secret key, we add G p 3 term on the last 2 elements of the last element-group. In the defination of the second type of ephemeral semi-functional secret key, we add G p 2 p3 term on the last 2 elements of the last elementgroup. In the defination of the third type of ephemeral semi-functional secret key, we add G p 3 term on the first 2 elements of the last element-group and add G p 2 p3 term on the last 2 elements of the last element-group. In the defination of the fourth type of ephemeral semifunctional secret key, every element of the last element-group is in G p 1 p2p3 . In the defination of the fifth type of ephemeral semi-functional secret key, the first 2 elements and the last element of the last element-group is in G p 1 p2 p3 , and the third element of the last elementgroup is in G p 1 p3 .  EÀ 3 It chooses chooses y 0 , r 2 Z p randomly, X 2 , Y 2 2 G p 2 randomly, and X 3 , Y 3 2 G p 3 randomly and forms the component seceret key ESF-3-SK g PSK EÀ 3 by constructing κ(I j , y 0 , r) in the last element-group as And the contruction of the other element-groups follows the construction of SK HIBE,S θ in RHIBE.GenKey.
SKeyESF-4 ðIDj j ; ST IDj jÀ 1 ; PP; yÞ ! g PSK EÀ 4 It chooses chooses y 0 , r 2 Z p randomly, X 2 , Y 2 2 G p 2 randomly, and X 3 , Y 3 2 G p 3 randomly and forms the component ESF-4-SK g PSK EÀ 4 by constructing κ(I j , y 0 , r) in the last element-group as And the contruction of the other element-groups follows the construction of SK HIBE,S θ in RHIBE.GenKey.
SKeyESF-5 ðIDj j ; ST IDj jÀ 1 ; PP; yÞ ! g PSK EÀ 5 It chooses chooses y 0 , r 2 Z p randomly, X 2 2 G p 2 randomly, and X 3 , Y 3 2 G p 3 randomly and forms the component ESF-5-SK g PSK EÀ 5 by by constructing κ(I j , y 0 , r) in the last element-group as And the contruction of the other element-groups follows the construction of SK HIBE,S θ in RHIBE.GenKey.
The constructions from the normal component update key to the (ephemeral) semi-functional component update keys are similar to that of secret keys, expect that we change the first element group of normal component update key to different types.  EÀ 3 It chooses chooses y 0 , r 2 Z p randomly, X 2 , Y 2 2 G p 2 randomly, and X 3 , Y 3 2 G p 3 randomly and forms the component seceret key ESF-3-UK g TUK EÀ 3 by constructing κ T (T, y 0 , r) of the first element-group as

UKeyESF
And the contruction of the other element-groups follows the construction of RSK HIBE and SK IBE,S θ in RHIBE.UpdateKey. UKeyESF-4 ðT; ST IDj kÀ 1 ; RL IDj kÀ 1 ;T ; PP; yÞ ! g TUK EÀ 4 It chooses chooses y 0 , r 2 Z p randomly, X 2 , Y 2 2 G p 2 randomly, and X 3 , Y 3 2 G p 3 randomly and forms the component ESF-4-UK g TUK EÀ 4 by constructing κ T (T, y 0 , r) in the first element-group as And the contruction of the other element-groups follows the construction of RSK HIBE and SK IBE,S θ in RHIBE.UpdateKey. UKeyESF-5 ðT; ST IDj kÀ 1 ; RL IDj kÀ 1 ;T ; PP; yÞ ! g TUK EÀ 5 It chooses chooses y 0 , r 2 Z p randomly, X 2 2 G p 2 randomly, and X 3 , Y 3 2 G p 3 randomly and forms the component ESF-5-UK g TUK EÀ 5 by by constructing κ T (T, y 0 , r) in the first element-group as  picks values a, b, c, d, a 0 , b 0 , c 0 , d 0 2 Z N uniformly at random and sets u = g a , h = g b , v = g c , In the challenge HIBE key, it implicitly sets g r to be the G p 1 part of T. If T 2 G p 1 , then this matches the distribution of O 0 (since there are no G p 3 terms here), and so this will be a properly distributed normal key and B is playing Game H h c −1,2 . If T 2 G p 1 p3 , then this matches the distribution of O 1/2 (note that a, b modulo p 2 are uniformly random and do not occur elsewhere-so there are random G p 3 terms attached to the last two group elements) and then B is playing Game H h Then B creats the semi-functional ciphertexts successfully. When B creats the HIBE private key with the index pair (h, i c ) for some identity vector (I 1 , Á Á Á, I j ) in the index h node, the HIBE private key with an index pair (h, i c ) is generated as follows: 1. i c < h c : B chooses random values y 1 , Á Á Á, y j , λ 1 , Á Á Á, λ j−1 , r 1 , Á Á Á, r j , z, z 0 2 Z n and generates a ESF-2 PSK HIBE,h .
2. i c = h c : B chooses random values y 1 , Á Á Á, y j−1 , λ 1 , Á Á Á, λ j−1 , r 1 , Á Á Á, r j−1 2 Z n . B forms the challenge key as: We must now argue that the challenge key-type query and the k th ciphertext-type query responses are properly distributed. If T 2 G p 1 , then the response to the k ciphertext type query is identically distributed to a response from O 1 , and the values a, b modulo p 3 only appear in the response to the challenge key-type query, hence the G p 3 parts on the last two group elements here appear random in G p 3 . This will be a properly distributed EST-2 k−1 -CT which means that the responses of O properly simulate the responses of O Ã kÀ 1 and B is playing Game S k−1,1 .
If T 2 G p 1 p3 , then we must argue that aI + b and aI Ã k þ b both appear to be uniformly random modulo p 3 : this follows from pairwise independence of the function aI + b modulo p 3 , since we have restricted the Type-1 adversary to choose I and I Ã k so that I 6 ¼ I Ã k modulo p 3 . This means that the G p 3 components on the last two group elements of the challenge key-type query response and on the k ciphertext-type query response are uniformly random in the attacker's view. In this case, O has produced a properly distributed EST-3 k -CT which means that O has properly simulated the responses of O 0 k and B is playing Game S k,2 . Particularly, we need overcome the paradox in the game hopping from Game S q c −1,1 to Game S q c ,2 since the simulator can derive a decryption key and check whether the ciphertext is normal or semi-functional by being decrypted by the semi-functional derived decryption key from secret keys and update keys. For the game hopping from Game S q c −1,1 to Game S q c ,2 , no matter whether T 2 G p 1 p3 or T 2 G p 1 , the cipertext-element-group (T 1 , T 3 , T 2 ) can be decrypted by the decryption key derived from the ESF-2-SK and normal update key. So the paradox is overcame successfully. (The other paradox need to overcome is in the game hopping from Game L q c −1,1 to Game L q c ,2 . In Lamma 23, the paradox can be overcame In the same way.) Hence, if a PPT attacker can distinguish any pair between S k−1,1 and S k,2 with non-negligible advantage, O can distinguish the corresponding pair between O Ã kÀ 1 and O 0 k with non-negligible advantage. It means O can use the output of B to achieve a non-negligible advantage against Assumption 3.
Thus, Under Assumptions 3, no PPT attacker can distinguish between O Ã kÀ 1 and O 0 k with non-negligible advantage. Thus, no PPT attacker can distinguish between S k−1,1 and S k,2 with non-negligible advantage.
Lemma 4 Under Assumptions 4, no PPT attacker can distinguish between O 0 k and O 00 k with non-negligible advantage. So no PPT attacker can distinguish between S k,2 and S k,3 with non-negligible advantage.
Proof We assume B interacts with one of O 0 picks values a, b, c, d, a 0 , b 0 , c 0 , d 0 2 Z N uniformly at random and sets u = g a , B initially obtains the group elements from its oracle simulator where z, y 0 , y, ψ 2 Z p are randomly chosen. These are properly distributed, with g s = X 1 and g g 2 ¼ X 2 . Note that this sets σ 1 equal to c modulo p 2 and p 3 and σ 2 equal to c 0 modulo p 2 and p 3 . It chooses α 2 Z n randomly, and gives A the following public parameters in Eq 83. We note that B knows the master secret key α. When A requests a normal update key or a normal decryption key, B can responds by using the usual key generation algorithm, since it knows α.
Þ as same as Eq 11 to B. Then B creats the ESF-1 ciphertexts successfully.
When A requests the secret key of an identity vector ID| j = (I 1 , Á Á Á, I j ), B creats the ESF-2-SK key by the HIBE-type query response from O and the secret key for ID| j in some node θ is where y 1 , Á Á Á, y j , l 1 ; Á Á Á ; l jÀ 1 ; r 1 ; Á Á Á ; r jÀ 1 ; r 0 j ; z; z 0 2 Z n are randomly chosen. When B creats the IBE private key with the index pair (h, i c ) for some time T for the identity vector (I 1 , Á Á Á, I j−1 ) in the index h node, the update key with an index pair (h, i c ) is generated as follows: 1. i c < h c : It randomly chooses y 0 , Á Á Á, y j−1 , λ 1 , Á Á Á, λ j−1 , r 0 0 ; r 1 ; Á Á Á ; r jÀ 1 , z, z 0 2 Z n and generates a ESF-2-UK TUK ID| l ,T,θh .
It implicitly sets g r 0 to be X r 0 0 1 and that is a properly distribution ESF-2-UK. 2. i c = h c : B chooses random values y 1 , Á Á Á, y j−1 , λ 1 , Á Á Á, λ j−1 , r 1 , Á Á Á, r j−1 2 Z n . B forms the challenge key as: In the challenge IBE key, it implicitly sets g r to be the G p 1 part of T. If T 2 G p 1 , then this matches the distribution of O 0 (since there are no G p 3 terms here), and so this will be a properly distributed normal key and B is playing Game E h c −1,2 . If T 2 G p 1 p3 , then this matches the distribution of O 1/2 (note that a, b modulo p 2 are uniformly random and do not occur elsewhere-so there are random G p 3 picks values a, b, c, d, a 0 , b 0 , c 0 , d 0 2 Z N uniformly at random and sets u = g a , B initially obtains the group elements in Eq 84 from its oracle simulator, and gives A the public parameters in Eq 83. When A requests the challenge ciphertext for messages M 0 , M 1 , identity vector ðI Ã 1 ; Á Á Á ; I Ã l Þ and T Ã , B makes a ciphertext-type query to the oracle for each I Ã i and T Ã . When B makes a ciphertext-type query for some identity I Ã , O responds by choosing a random t 2 Z N and returning ðw s g d 1 2 v t g s 1 t 2 ; g t g t 2 ; ðu I Ã hÞ t g tða 0 I Ã þb 0 Þ 2 Þ to B as same as Eq 10. When B makes a ciphertexttype query for some time T Ã , O responds by choosing a random t 0 2 Z N and returning ; g t 0 g t 0 2 ; ðu T Ã 0 h 0 Þ t 0 g t 0 ða 0 T Ã þb 0 Þ 2 Þ as same as Eq 11 to B. Then B creats the ESF-1 ciphertexts successfully. When A requests the secret key of an identity vector ID| j = (I 1 , Á Á Á, I j ), B creats the ESF-2-SK key by the HIBE-type query response from O and the secret key for ID| j in some node θ is S i;0 ¼ g l i w y i ; S i;1 ¼ g y i ; S i;2 ¼ g r i ; S i;3 ¼ ðu I i hÞ r i v y i ; i 2 f1; Á Á Á ; j À 1g S j;0 ¼ g g y À P jÀ 1 i¼1 l i w y j ; S j;1 ¼ g y j ; S j;2 ¼ v y j ðX 1 X 2 Þ r 0 j ðaI j þbÞ g z 3 ; S j;3 ¼ ðX 1 X 2 Þ r 0 where y 1 , Á Á Á, y j , l 1 ; Á Á Á ; l jÀ 1 ; r 1 ; Á Á Á ; r jÀ 1 ; r 0 j ; z; z 0 2 Z n are randomly chosen. When B creats the IBE private key with the index pair (h, i c ) for a time T in the index h node in the binary tree BT ID| j = (I1, Á Á Á, Ij−1) , the update key with an index pair (h, i c ) is generated as follows: 1. i c < h c : B chooses random values y 1 , Á Á Á, y j−1 , λ 1 , Á Á Á, λ j−1 , r 0 , Á Á Á, r j−1 , z, z 0 2 Z n and generates a ESF-2 TUK IBE,h .
As in the previous lemma, this implicitly sets g r 0 to be the G p 1 part of T in the challenge IBE key. We note that a 0 , b 0 modulo p 2 , p 3 are uniformly random and do not appear elsewhere. Thus, when T 2 G p 1 p3 , these last two terms will have random elements of G p 3 attached (matching the distribution of O 5/2 ) and then B is playing Game E h c ,1 . And when T 2 G, these last two terms will have random elements in both G p 3 and G p 2 attached (matching the distribution of O 3 ) and then B is playing Game E h c ,2 .
Hence, if a PPT attacker can distinguish between E h c ,1 and E h c ,2 with non-negligible advantage, O can distinguish between O 5/2 and O 3 with non-negligible advantage. It means O can gain a non-negligible advantage against Assumption 4.
Thus, Under Assumptions 4, no PPT attacker can distinguish between O 5/2 and O 3 with non-negligible advantage. Thus, no PPT attacker can distinguish between E h c ,1 and E h c ,2 with non-negligible advantage.

2
It implicitly sets g r j to be X r 0 j 1 and that is a properly distribution ESF-2-SK. In the challenge HIBE key, it implicitly sets g y 0 to be the G p 1 part of T. If T 2 G p 1 , then this matches the distribution of O 3 (since there are no G p 3 terms here), and so this will be a properly distributed normal key and B is playing Game F h c −1 . If T 2 G p 1 p3 , then this matches the distribution of O 3.1 (note that a, b modulo p 2 are uniformly random and do not occur elsewhereso there are random G p 3  Proof The proof of this lemma is almost the same as that of Lemma 8 except the generation of secret keys and update keys. Upon receiving a challenge HIBE-key-type query for I 2 Z n , O chooses r 1 , r 2 , r 0 , y 00 2 Z n randomly and returns the group elements ððX 1 X 3 Þ dy 00 ; ðX 1 X 3 Þ y 00 ; ðX 1 X 3 Þ cy 00 ðX 1 X 3 Þ ða I þbÞr 0 g r 1 2 ; ðX 1 X 3 Þ r 0 g r 2 2 Þ to B. And then B creats the ESF-3 update key by using the group elements. When B creats the IBE private key with the index pair (h, i c ) for some identity vector (I 1 , Á Á Á, I j−1 ) and the time T in the index h node, the IBE private key with an index pair (h, i c ) is generated as follows: 1. i c < h c : It randomly chooses y 1 ; Á Á Á ; y jÀ 1 ; y 0 0 , l 1 ; Á Á Á ; l jÀ 1 ; r 1 ; Á Á Á ; r jÀ 1 ; r 0 0 ; z; z 0 2 Z n and generates a ESF-3-UK EUK IBE,h .
U i;0 ¼ g l i w y i ; U i;1 ¼ g y i ; U i;2 ¼ g r i ; U i;3 ¼ ðu I i hÞ r i v y i ; i 2 f1; Á Á Á ; j À 1g It implicitly sets g y 0 to be X y 0 0 1 and g r 0 to be X r 0 0 1 and that is a properly distribution ESF-3-UK.
When B creats the IBE private key with the index pair (h, i c ) for some time T for the identity vector (I 1 , Á Á Á, I j−1 ) in the index h node, the update key with an index pair (h, i c ) is generated as follows: 1. i c < h c : It randomly chooses y 1 , Á Á Á, y j , λ 1 , Á Á Á, λ j−1 , r 0 , Á Á Á, r j−1 , z, z 0 2 Z n and generates a ESF-4-UK TUK IBE,h .
That is a properly distribution ESF-4-UK.

i c > h c : It generates a ESF-4-UK as
U i;0 ¼ g l i w y i ; U i;1 ¼ g y i ; U i;2 ¼ g r i ; U i;3 ¼ ðu I i hÞ r i v y i ; i 2 f1; Á Á Á ; j À 1g where z, z 0 2 Z p are randomly chosen.
In the challenge IBE key, it implicitly sets g r to be the G p 1 part of T. We note that a 0 , b 0 modulo p 2 , p 3 are uniformly random and do not appear elsewhere. If T 2 G p 1 p3 , then this matches the distribution of O 6 , and so this will be a properly distributed normal key and B is playing Game F6 h c −1,2 . If T 2 G, then this matches the distribution of O 7/2 0 (note random G p 3 terms attached to the last two group elements) and then B is playing Game F6 h picks values a, b, c, d, a 0 , b 0 , c 0 , d 0 2 Z N uniformly at random and sets u = g a , h = g b , z, z 0 2Z n and generates a semi-functional update key TUK ID| l ,T,θh U 0;0 ¼ g aÀ g y h À P jÀ 1 i¼1 l i ðX 1 X 3 g 2 Þ d 0 y 0 0 ; U 0;1 ¼ ðX 1 X 3 g 2 Þ y 0 0 ; U 0;2 ¼ g r 0 ; U 0;3 ¼ ðX 1 X 3 g 2 Þ When T 2 G p 1 the values of a, b modulo p 3 only appear in the response to the challenge keytype query, which means that the G p 3 terms on the last two group elements there are uniformly random. Also, the response to the k th ciphertext-type query is distributed exactly like a response from O 2 . In this case, O has properly simulated the responses of O Ã k and this will be a properly distributed EST-2 k -CT and so B is playing Game S 0 k;1 . When T 2 G p 1 p3 , we must argue that the values aI + b and aI Ã k þ b appear uniformly random modulo p 3 : this follows by pairwise independence of aI + b as a function of I modulo p 3 , since we have restricted the Type-1 adversary to choose I and I Ã k so that I 6 ¼ I Ã k modulo p 3 and a, b modulo p 3 only appear in these two values. Hence, O has produced a properly distributed EST-4 k -CT and O has properly simulated the response of O 00 k in this case. So B is playing Game S 0 k;3 . We have thus shown that O can use the output of B to achieve non-negligible advantage against Assumption 3.
Hence, if a PPT attacker can distinguish any pair between S 0 k;3 and S 0 k;1 with non-negligible advantage, O can distinguish the corresponding pair between e O 00 k and e O Ã k with non-negligible advantage. It means O can use the output of B to achieve a non-negligible advantage against Assumption 3.
Thus, Under Assumptions 3, no PPT attacker can distinguish between e O 00 k and e O Ã k with non-negligible advantage. Thus, no PPT attacker can distinguish between S 0 k;3 and S 0 k;1 with non-negligible advantage.