Heterogeneous deniable authenticated encryption for location-based services

The location-based services can provide users with the requested location information. But users also need to disclose their current location to the location-based service provider. Therefore, how to protect user’s location privacy is a major concern. In this paper, we propose a heterogeneous deniable authenticated encryption scheme called HDAE for location-based services. The proposed scheme permits a sender in a public key infrastructure environment to transmit a message to a receiver in an identity-based environment. Our design utilizes a hybrid encryption method combing the tag-key encapsulation mechanism (tag-KEM) and the data encapsulation mechanism (DEM), which is well adopted for location-based services applications. We give how to design an HDAE scheme utilizing a heterogeneous deniable authenticated tag-KEM (HDATK) and a DEM. We also construct an HDATK scheme and provide security proof in the random oracle model. Comprehensive analysis shows that our scheme is efficient and secure. In addition, we give an application of the HDAE to a location-based services system.


Introduction
The fast expansion of smart devices and mobile networks makes location-based services (LBSs) an integral part of people's daily lives. Users utilize LBSs to find points of interests, navigate the destination, and inquire public transportation etc. [1][2][3][4][5][6]. In all of these requested services, users need to disclose their location information to the location-based service provider (LBSP). Based on location information, LBSP is able to infer some sensitive information about users, such as preferences, social circles, and trajectories. For example, if a user frequently presents location request to the same hospital, the LBSP is able to deduce that the user may have a physical issue.
If the LBSP cooperates with a malicious adversary for pecuniary advantage, there will be significant loss of profits for users. For example, based on the location-based privacy information leaked by a user, a malicious adversary can infer a user's home address or routine and then commit theft, which seriously threatens user's personal and property safety. Therefore, protecting users' location privacy is a major concern.
However, there is also non-repudiation in digital signature. That is, the sender cannot deny the message he/she signed. To resolve this issue, deniable authentication [17] is proposed which has two characteristics: (1) the receiver has the capability of identifying whether a given message is from the sender; (2) any third party is incapable of determining whether the given message is from the sender or the receiver even though the third party colludes with the receiver since the receiver is able to generate a probabilistically indistinguishable transcript from the sender. However, in privacy-preserving scenarios, the transmitted message needs to be encrypted to achieve confidentiality. Wu and Li [18] first presented an identity-based DAE scheme to achieve confidentiality as well as deniable authentication in an efficient approach.

Motivation and contribution
In order to make the designed scheme more practical, we require the sender and receiver to be in different cryptographic environments. Concretely, we design a heterogeneous deniable authenticated encryption (HDAE) scheme utilizing tag-KEM and DEM hybrid encryption methods. The proposed scheme permits a sender in a public key infrastructure (PKI) setting to deliver a message to a receiver in an identity-based cryptography (IBC) setting. This construction provides security proof in random oracle model (ROM) under the DBDH and BDH assumptions. Our experimental analysis displays that our scheme has a high efficiency and security. Additionally, we design an LBS scheme utilizing our proposed HDAE scheme. On the one hand, it permits the LBSP to affirm whether the ciphertext of the submitted location request is from the user. On the other hand, any third party cannot determine whether the ciphertext of the submitted location request is from the user or the service provider even though the third party colludes with the LBSP since the LBSP has the capability of generating a probabilistically indistinguishable ciphertext from the user.

Organization
The rest of this paper is arranged below. Section II, Related work is presented. Problem formulation is defined in Section III. We design a formal model for the HDAE in Section IV. Section V, a security model for the HDATK is depicted. An HDAE design is presented in Section VI, and we design an HDATK scheme in Section VII. Performance analysis is discussed in Section VIII. Section IX, we give an HDAE application to the LBS. Conclusion is drawn in Section X.

Related work
Related notions, hybrid encryption, deniable authenticated encryption, and heterogeneous deniable authentication are introduced.
Hybrid encryption constitutes a key encapsulation mechanism (KEM) and a data encapsulation mechanism (DEM). The KEM encrypts a session key by a public key, whereas the DEM encrypts the real data by a session key. For large messages, hybrid encryption is the best choice. Cramer and Shoup [19] designed practical and provably secure hybrid KEM/DEM schemes. Abe et al. [20] put forward to a more efficient tag-KEM/DEM scheme. Then, many KEM/ DEM schemes [21][22][23][24][25][26][27][28] have been proposed. These designs support both components modular design. Sahai et al. [29] put forward to a tag-KEM/DEM scheme by a non-interactive proof method. The proposed scheme can encrypt message with arbitrary length. Baek et al. [30] presented a stateful KEM-DEM scheme. It is highly effective by utilizing a state to produce the random parameters.
Deniable authentication encryption (DAE) is a cryptographic primitive which can accomplish concurrently public key encryption and deniable authentication. Its cost is lower than that needed by deniable authentication-then-encryption manner. The DAE can achieve deniable authentication and confidentiality simultaneously which is well adopted for privacyprotecting scenarios.
Li et al. [31] constructed a DAE scheme with formal security proof. They also constructed an email system based on the designed DAE scheme. Jin et al. [32] constructed a DAE scheme which can realize simultaneously deniable authentication, confidentiality, and ciphertext anonimity. Rasmussen and Gasti [33] proposed a DAE based on two encryption schemes with strong and weak properties. Recently, Huang et al. [34] constructed a DAE scheme for privacy protection with formal security proof. The above mentioned schemes are all in the PKI environment which has public key management problems, including distribution, storage, and revocation. To resolve this issue, a number of identity-based deniable authenticated encryption (IBDAE) schemes have been constructed. Wu and Li [18] constructed an IBDAE scheme which provided formal security proof. Li et al. [35] (denoted by LZJ) proposed an IBDAE scheme for e-mail system. In their scheme, they utilize tag-KEM/DEM hybrid encryption technology which is more suitable for actual applications. Jin and Zhao [36] designed an IBDAE scheme which admitted formal security proof. The aforementioned schemes have key escrow problems, i.e., a third party called private key generator (PKG) knows all user's private key. To avoid this problem, a certificateless deniable authenticated encryption (CLDAE) scheme [37] has been designed. Recently, Chen et al. [38] proposed a certificateless hybrid KEM/DEM scheme. It separates two parts to provide better security and efficiency.
The aforementioned DAE schemes have a common feature, i.e., the entities of these schemes are all in the same cryptosystem. Such characteristic makes these schemes not well suitable for the LBS system. Li et al. [39] (denoted by LHO) designed two heterogeneous deniable authentication (HDA) schemes. Their designed schemes allowed batch verification to accelerate the authenticators' verification. Jin et al. [40] constructed an HDA scheme. In their scheme, a sender in a CLC setting delivered a message to a receiver in an IBC setting. However, these schemes do not achieve confidentiality.

System and security models
There are three entities in the HDAE as shown in Fig 1: a user, an LBSP, and a trusted third party PKG. The location information and the corresponding ciphertext are produced by the user, and the ciphertext are sent to the LBSP. The LBSP can identify the received ciphertext is from the user and generate a probabilistically indistinguishable ciphertext from the user. The PKG is mainly responsible for generating system parameters and LBSP's private key.
To obtain the location-based service that supports privacy-preserving, in the proposed system model, the user sends the ciphertext of location-requested information to the LBSP. Then the LBSP decrypts the received ciphertext and checks whether the decrypted message is location-requested information or a failure symbol ?.

Threat model and security goals
We define an adversary which will act as a user to learn the requested location information of other users. The LBSP is honest-but-curious. It means that it follows the designed scheme, but it may collude with a third party for economic benefits. Additionally, the collusion attack between the LBSP and a third party is concerned in the proposed security goals. Specially, two kinds of security requirements are considered in the constructed scheme.
• Confidentiality: Any information about the submitted location information of a ciphertext cannot be learned by any third party other than the involved entities; • Deniable authentication: The LBSP has a capability of determining a ciphertext is from the user and creating a ciphertext that is probabilistically indistinguishable from the user.

PI-HDAE
We describe security notions for the HDAE in this section. In the designed HDAE scheme, a sender in a PKI environment, while a receiver in an IBC environment. PI-HDAE is denoted by this kind of DAE as follows.

Syntax
A PI-HDAE scheme comprises five algorithms below: Setup: Given system parameter 1 k , the PKG obtains the params and a master private key s. In other algorithms, we neglect params due to they are public.
PKI-KG: A user belongs to the PKI setting elects a secret key sk and calculates its public key pk. IBC-KE: A user in the IBC setting transmits its identity ID to the PKG who computes its private key S ID and securely passes it to the user. Here, let the user's public key be its identity ID.
Deniable-Authenticated-Encrypt(DAE): Given a message m, a sender's secret key sk s , public key pk s , and a receiver's identity ID r , the sender obtains a ciphertext σ.
Deniable-Authenticated-Decrypt(DAD): Given a ciphertext σ, a sender's public key pk s , a receiver's identity ID r , and its private key S ID r , the receiver obtains a message m or a symbol ?.

Security notions
We rewrite the notions [35] to meet our scheme. For confidentiality, the standard security concept, indistinguishability against adaptive chosen ciphertext attacks (IND-CCA2) is employed in our construction. For IND-CCA2 security in a PI-HDAE scheme, it is assumed that this game below is between an adversary F with its challenger C. Setup. C performs Setup algorithm to get params, releases it to F and saves s. C also executes the PKI-KG algorithm to obtain a sender's private/public key pair (sk � s , pk � s ). Then it passes pk � s to F . Phase 1. F adaptively issues the queries below.
• Key extraction queries: F picks an identity ID. C obtains the private key S ID by running an IBC-KE algorithm and transmits it to F .
• DAE queries: F selects a receiver's identity ID r , and a message m. Then C executes DAE(m, sk � s , pk � s , ID r ) and transmits the result σ to F . • DAD queries: F selects a ciphertext σ, and a receiver's identity ID r . C obtains S ID r by implementing key extraction algorithm. It then transmits σ = DAD(σ, pk � s , ID r , S ID r ) to F (the resulting ? indicates σ is invalid).
Challenge. F determines when Phase 1 ends. F creates a challenge identity ID � r and two messages (m 0 , m 1 ). In phase 1, it does not support to request a key extraction query on ID � r . C randomly picks b 2 {0, 1}, computes σ � = DAE(m b , sk � s , pk � s , ID r ) and outputs σ � to F . Phase 2. F makes queries as in Phase 1 except it neither requests a key extraction query on identity ID � r nor executes a DAD query on (σ � , pk � s , ID � r ).
where Pr[b 0 = b] expresses the probability. Definition 1. A PI-HDAE scheme is IND-CCA2 secure if there is a probabilistic polynomial time (PPT) adversary F wins "IND-CCA2" game with a negligible advantage.
In the aforementioned definition, F is permitted to gain the sender's private key S ID s [41]. Namely, the confidentiality is retained if the S ID s is compromised.
For deniable authentication, the security concept, deniable authentication against adaptive chosen message attacks (DA-CMA) is employed in our construction.
For DA-CMA in a PI-HDAE scheme, this game below is between F and C. "DA-CMA" game (Game-II): Setup. This is identical to Game-I. Attack. This is identical to Game-I. Forgery. F creates a pair (σ � ,ID � r ). F succeeds if the conditions below are satisfied: 2. F has not issued a key extraction query on ID � r . 3. F has not issued a DAE query on (m � , ID � r ). F 's advantage is defined as the probability that it will win. Definition 2. A PI-HDAE scheme is DA-CMA secure if there is a PPT adversary F wins the "DA-CMA" game with a negligible advantage.
In the aforementioned definition, F does not issue a key extraction query on the identity ID � r . This is for deniability. In other words, the two parties involved communication are able to produce a transcript with indistinguishable probability.

Data Encapsulation Mechanism (DEM)
Two algorithms are included in a DEM.
• Enc: Given 1 k , a message m, and a key K, this algorithm outputs a ciphertext c. It is denoted as c = Enc(K, m).
• Dec: Given a key K, and a ciphertext c, this algorithm outputs a message m or ?.
For a DEM, the security concept, indistinguishability against passive attackers (IND-PA) is employed in our construction. The game below is between A and C.
IND-PA game (Game-III): Setup. A transmits two messages (m 0 , m 1 ). Challenge. C picks K, β 2 {0, 1}, and outputs a challenge ciphertext c � = Enc(K, m β ) to A. Guess. A returns β 0 , and it will win the game if β 0 = β. A's advantage is where Pr[β 0 = β] expresses the probability. Definition 3. A DEM is DA-CPA secure if there is a PPT adversary A wins "DA-CPA" game with a negligible advantage.

PI-HDATK
The security notions for heterogeneous deniable authenticated tag-KEM (HDATK) are given in this section. In the designed HDATK scheme, a sender belongs to a PKI setting, while a receiver belongs to an IBC setting. PI-HDATK is denoted by this kind of DATK scheme as follows.

Syntax
A PI-HDATK scheme comprises six algorithms below: Setup: Given 1 k , the PKG obtains the params and a master private key s. Due to params are public, we neglect them in other algorithms.
PKI-KG: A user in the PKI setting calculates a secret/public key pair (sk, pk). IBC-KE: A user in the IBC setting transmits its identity ID to the PKG who computes its private key S ID and securely transmits it to the user. Here, we assume that the user's public key is its identity ID.
Sym: Given a sender's secret key sk s , public key pk s , and a receiver's identity ID r , the sender produces an encryption key K and state information ω.
Encap: Given a tag τ and the state information ω, the sender creates an encapsulation ϕ. Decap: Given a sender's public key pk s , a receiver's identity ID r , private key S ID r , a tag τ, and an encapsulation ϕ, the receiver outputs K or ?.

Security notions
The confidentiality and deniable authentication should be satisfied for the PI-HDATK scheme.
For IND-CCA2 security in a PI-HDATK scheme, it is assumed that this game below is between F and C. "IND-CCA2" game (Game-IV): Setup. C performs Setup algorithm, delivers params to F and saves s. C also executes PKI-KG algorithm to obtain a sender's private/public key pair (sk � s , pk � s ). Then it delivers pk � s to F . Phase 1. F adaptively issues queries below.
• Key extraction queries: This is identical to Game-I.
• Symmetric key generation queries: F submits a receiver's identity ID r to C. C then performs ðK; oÞ ¼ Symðsk � s ; pk � s ; ID r Þ, stores the state information ω, and sends the key K to F . • Encapsulation queries: F picks a tag τ. If ω is not matched, C outputs ?. If matched, C deletes the exist one and produces ϕ = Encap(ω, τ) • Decapsulation queries: F picks an encapsulation ϕ, a receiver's identity ID r , and a tag τ. C produces S ID r by performing key extraction algorithm. It outputs the result of Decap(ϕ, τ, pk � s , ID r , S ID r ) to F . Challenge. F determines when Phase 1 is over. F then outputs a challenge identity ID � r . In phase 1, it does not support to request a key extraction query on , K 0 2 K PIÀ HDAT K , and passes K b to F . when F obtains K b , it will issue the identical queries as before. F then returns a tag τ � . C calculates a challenge encapsulation ϕ � = Encap(ω � , τ � ) and outputs it to F . Phase 2. F makes queries as in Phase 1 except it neither requests a key extraction query on identity ID � r nor executes a decapsulation query on (ϕ � , τ � , pk � s , ID � r ). Guess. F returns b 0 , and it wins the game where Pr[b 0 = b] expresses the probability. Definition 4. A PI-HDATK scheme is IND-CCA2 secure if a PPT adversary F wins "IND-CCA2" game with negligible advantage.
In the above definition, it is allowed that F gets the sender's secret key S ID s . Namely, the confidentiality is maintained if S ID s is compromised.
For deniable authentication, the security concept, deniable authentication against adaptive chosen message attacks (DA-CMA) is employed in our design.
For DA-CMA security in a PI-HDATK scheme, it is assumed that this game below is played between F with C.
Attack. This is identical to Game-III. Forgery. F creates an element (ϕ � , τ � , ID � r ). F succeeds if the contexts below are met: 1. DAD(σ � ,pk � s ,ID � r ) = m � . 2. F has not issued a key extraction query on ID � r . 3. F has not issued a DAE query on (m � , ID � r ). F 's advantage is defined as the probability that it will win. Definition 5. A PI-HDATK scheme is DA-CMA secure if a PPT adversary F wins the "DA-CMA" game with a negligible advantage.
In the aforementioned definition, F does not issue a key extraction query on ID � r . This is for deniability. That is, the two parties involved communication are able to produce an indistinguishable transcript.

A PI-HDATK scheme
There are six algorithms to describe our proposed scheme. Fig 3 shows the main description. In DEM part, a tag is the ciphertext. This construction provides simple description and realizes better universal security.

Basic knowledge
In this section, we provide bilinear pairings properties, decisonal bilinear Diffie-Hellman problem (DBDHP), and bilinear Diffie-Hellman problem (BDHP). Let G 1 , G 2 be an additive group and a multiplicative group, respectively. P is a generator of G 1 , and G 1 as well as G 2 have the same prime order q. A bilinear pairing is a map e: G 1 × G 1 ! G 2 with the following properties: 1. Bilinearity: e(aP, bQ) = e(P, Q) ab for all P; Q 2 G 1 ; a; b 2 Z � q .

Computability:
There is an efficient algorithm to compute e(P, Q) for all P, Q 2 G 1 The modified Weil and Tate pairings are the admissible maps ( [42][43][44][45][46][47][48] offer more information). This scheme's security depends on the difficulty of dealing with the flllowing problems.

Definition 1. Decisional Bilinear Diffie-Hellman Problem (DBDHP).
In the light of bilinear pairings basic definition as above mentioned, DBDHP is to determine θ = e(P, P) abc given (P, aP, bP, cP) with a; b; c; y 2 Z � q .

Definition 2. Bilinear Diffie-Hellman Problem (BDHP).
In the light of bilinear pairings basic definition as above mentioned, BDHP is to calculate e(P, P) abc given (P, aP, bP, cP) with a; b; c 2 Z � q .

Our scheme
Setup. Given G 1 , G 2 , P, and e as in Subsection A of Section VII. Let k be a security parameter (q � 2 k ) and n be a a DEM's key length.
The KGC randomly selects a master key s 2 Z � q and calculates P pub = sP. The public params are (G 1 , G 2 , e, q, n, k, P, P pub , H 1 , H 2 , H 3 ) and a master private key is s.

PKI-KG.
A user belongs to a PKI setting elecets x i 2 Z � q randomly as its secret key sk i , and calculates pk i = sk i P as its public key. Here, i = s denotes the sender, and pk s = x s P, sk s = x s denotes the sender's public/private key pair.

IBC-KE.
A user belongs to an IBC setting gives its identity ID to the PKG. The PKG calculates its private key SK ID = sQ ID (Q ID = H 1 (ID)) and securely transmits it to the user. Here, ID r denotes the receiver, and pk r = ID r sk r ¼ S ID r denote the receiver's public and private key.
Sym. Given a sender's private/public key pair (sk s , pk s ), and a receiver's identity ID r , the algorithm below is done.
Encap. Given a tag τ and the state information ω, the algorithm below is done.

Compute σ = (W, V).
Decap. Given a tag τ, an encapsulation σ, a sender's public key pk s , a receiver's private key S ID r , identity ID r , the algorithm below is executed.
3. If V = hpk s , output K = H 2 (t, pk s , ID r ); if not, return the symbol ?.
The consistency of the designed HDATK scheme can be verified. Because W ¼ eðS; Q ID r Þ, V = hpk s , we can get

Security
Theorems 3 and 4 offer the security consequences for PI-HDATK. Theorem 3. Under DBDH assumption, in ROM, F wins the IND-CCA2 game with a nonnegligible advantage � datk when issuing q H i queries to H i (i = 1, 2, 3), q ke key extraction queries, q gsk generation symmetric key queries, q ke key encapsulation queries, and q kd key decapsulation queries in a time t, C resolves DBDH problem with probability  1, 2, 3), q ke key extraction queries, q gsk generation symmetric key queries, q ke key encapsulation queries, and q kd key decapsulation queries in a time t, C resolves BDH problem in Proof: Refer to Appendix 4.

Performance
We conduct a main computational cost comparison of the construction with existing schemes LZJ [35] and HDA-I of LHO [39] listed in Table 1. The point multiplication in G 1 , the exponentiation calculation in G 2 , the addition calculations in G 1 , and the pairing calculation in G 2 are denoted by PM, EC, AD, and PC, respectively. We ignore XOR, and hash function since they are trivial. In all computational cost, the PC evaluation is the most time-consuming. From Table 1, it shows that the computation overhead of our scheme is less than that of LZJ [35], but more than that of the HDA-I of LHO [39]. It is noted that LZJ [35] is not a heterogeneous DAE scheme which is not catered for the LBS and HDA-I of LHO [39] cannot achieve confidentiality. An experiment is conducted on the PBC library with A pairing [49]. The A pairing is designed on an elliptic curve y 2 = x 3 + x mod p for some prime p � 3 mod 4. As needed, we set the order of G 1 is q and the library's embedding degree to 2. Here, 80-bit, 112-bit, and 128-bit denotes three kinds of AES [50] key size security level, respectively. Table 2 shows the description for different security levels.

Application
Zeng et al. [51] presented a deniable ring authentication for protecting the LBS privacy. In their scheme, the user's identity is anonymous to the LBSP and he/she can deny that he/she sends the requested location information to LBSP. However, the entities are all in the same environment and the requested location information is sent in plaintext. Any adversary can monitor or intercept this sensitive information. Therefore, to better resolve this issue, utilize our designed HDAE scheme in LBS systems to render the transmitted message in ciphertext. The specific communication process is as follows: A user in a PKI environment wants to request the location-based service m from the service provider (SP) in an identity-based environment. It first executes the PKI-KG algorithm to produce its private/public key pair (sk s , pk s ) and executes DAE(m, sk s , pk s , ID r ) to create a ciphertext σ. The user then passes the resulting σ to the SP. When the SP receive the LBS request, it first requests a private key S ID r from the PKG. Then it executes DAD(s; pk s ; ID r ; S ID r ) to get the LBS request m. It cannot send the response of m to any third party, since the third party cannot ensure whether the LBS request m is from the user or the service provider, due to the fact that the service provider can generate the same LBS request m and ciphertext σ with indistinguishable probabilities.

Conclusion
In this paper, we designed a hybrid DAE scheme which comprises a PI-HDAE scheme and a DEM scheme. The entities are in a heterogeneous system where the sender belongs to the PKI environment, while the receiver belongs to the IBC environment. Our construction can achieve confidentiality and deniable authentication in a single logic step. We give a formal security proof in the ROM. Our performance results show that this construction is secure and efficient. Furthermore, we present an example and apply our design to LBS system for better service.

Appendix 1
Proof: Our proof strategy is shown below. The modified games Game 0 , Game 1 , Game 2 are defined in [52,53]. The games' difference lies in how the environment replies F 's queries. F receives the challenge ciphretext σ � = (ϕ � , c � ) that encrypts either m 0 or m 1 by its challenge oracle in the light of b utilizing symmetric key K � . K � is also used in the decapsulation ϕ � with pk s and ID r chosen by F . In Game i (i = 0, 1, 2), it is supposed that S i is the event δ 0 = δ. F 's challenge oracle outputs δ and F returns δ 0 . F 's random oracle and F 's oracle determines the probability.
The lemma from [54] is employed as follows. Game 0 : We execute key extraction algorithm to simulate adversary's view in a real attack. Then we utilize the produced key to reply F 's queries. Thus, the adversary's view is identical to it in a real attack. Hence, we find Game 1 : In this game, we only alter how the DAD oracle replies F 's queries. After the calling of the challenge DAE oracle, (ϕ, c), pk s and ID r are submitted to the DAD oracle. If pk s ¼ pk � s , ID r ¼ ID � r , ϕ = ϕ � , the DAD oracle does not employ the key K, and it utilizes the key K � to decapsulate c and passes the result to F . This change does not affect F and so The running time of a ppt algorithm C 1 is identical to that of F , so we have Proof: The proof below gives how to design C 1 of the PI-HDATK to be against the IND-CCA2 attack.
The game is between C 1 and F as follows.
• Setup: C 1 passes the param to F . Additionally, it also passes the sender's public key pk s to F .
• Phase 1: F submits a receiver's identity ID j to C 1 . C 1 executes a key extraction (KE) query to its own oracle and transmits the response to F . When F executes an encryption query on m, and ID j , C 1 works as follows.
4. Pass c � to its challenger to gain ϕ � .
• Phase 2: F issues queries just like in phase 1 except for requesting a KE query on ID r and a KD query on σ � = (ϕ � , c � ) to gain the corresponding message.
• Guess: F returns δ 0 . If δ 0 = δ, C 1 returns b 0 = 1 which means K b is a genuine key; or else it returns b 0 = 0 which means K b is a random key.
When K b is a genuine key, F is performed just like it in Game 1 . It means When K b is a random key, F is executed just like it in Game 2 . It implies Based on PI-HDATK's security definition, we receive The running time of a ppt algorithm C 2 is identical to that of F , so Proof: The proof below gives how to design C 2 of the PI-HDATK to be against the IND-PA attack. F is run just like the manner in game Game 2 . Before F calls its challenge DAE query, we perform the key extraction algorithm to answer F 's query. When F issues its challenge DAE query on identity ID � r , and two messages (m 0 , m 1 ), we just transfer (m 0 , m 1 ) to C 2 's challenge encapsulation oracle to gain c � . We then issue a GSK query to have K � and issue a KES query to have ϕ � . We transmit (ϕ � , c � ) to F and drop K � .
Pr[S 2 ] is the probability that C 2 pinpoints the challenge encapsulation oracle's hidden bits due to that C 2 returns whatever F returns.

Appendix 2
Proof: F attacks the PI-HDAE scheme with advantage Adv DAÀ CMA PIÀ HDAE ðF Þ. C attacks DA-CMA for PI-HDATK with advantage at least Adv DAÀ CMA PIÀ HDAE ðF Þ. We issue F 's queries below. • Setup: C passes the param to F . Additionally, C also transmits pk s to F .
• Attack: When F submits an ID j to C, C executes a KE query to its own oracles and passes the response to F . When F performs a DAE query on m, and ID j , C issues the SKG query, KES query and KD query just like C 1 works in Lemma 2.
• Fogery: Visibly, this is a perfect proof. If F wins the DA-CMA game for PI-HDAE, C has the identical advantage to win the DA-CMA game for PI-HDATK.

Appendix 3
Proof: C gets an input (P, aP, bP, cP) of DBDH problem and purposes to decide if θ = e(P, P) abc . C is a challenger and performs F as a subroutine. C responds to F 's queries on H 1 , H 2 and H 3 and these answers are created randomly. C reserves lists L 1 , L 2 and L 3 to keep the answers. The assumptions are made as follows.
1. Before F issues KE queries, GSK queries, KES queries and KD queries on identity ID, F will first inquire H ID .

2.
A KES query's encapsulation ciphertext will not be employed in a KD query.
• Setup: C transmits system parameters with P pub = cP to F in which c is unknown to C. Additionally, C produces sender's (sk s , pk s ) and transmits public key pk s to F .
• Phase 1: F issues queries as follows.
• H 1 queries: C picks g 2 f1; 2; . . . ; q H 1 g. F requests H 1 queries on its choice identities. At the γ-th query, C replies by H 1 (ID γ ) = bP. At the j-th query with j 6 ¼ γ, C picks w j 2 Z � q , adds (ID j , w j ) in the list L 1 and responds H 1 (ID j ) = w j P.
• H 2 , H 3 queries: When F issues hash value queries, C checks whether the corresponding items are included in the lists. If yes, F will get the same answer; otherwise, F will get a random value. The value and query will be added in the list.
• Key extraction queries: When F issues key extraction queries on receiver's identity ID j . If ID j = ID γ , C aborts. If not, L 1 must comprise (ID j , w j ) (it implies C has replied H 1 (ID j ) = w j P.) The private key cH 1 (ID j ) = w j cP = w j P pub is calculated by C and transmitted to F .
• Generation symmetric key queries: F submits an ID j to C. C then executes (K, ω) = Sym(sk s , pk s , ID j ) and passes K to F . C saves ω and overwrites the previous value.
• Key encapsulation queries: F creates τ. C checks if ω already exists. If not, C aborts. Or else, C just executes ϕ = Encap(ω, τ) and transmits the encapsulation ciphertext ϕ to F .
• Key decapsulation queries: F sends the receiver's identity ID j , a tag τ, and an encapsulation ϕ.
The probability is at most 1/2 k . If ID j 6 ¼ ID γ , C gains S ID j by performing the key extraction query. It then passes the result of Decapðs; t; S ID j Þ to F .
• Challenge: F determines when phase 1 is over. It generates a receiver's challenge identity ID r . If F has issued a key extraction query on ID γ , C aborts. If F does not pick ID r = ID γ as the target identity, it aborts too. C picks W � 2 G 2 , sets V � = aP and computes t � = W � /θ (θ is DBDH problem's candidate). Then C issues H 2 query to look for K 1 = H 2 (t � ). C randomly picks K 0 , β 2 (0, 1), and passes K β to F . F then passes τ � to C. Whereafter, C transmits σ � = (W � , V � ) to F .
• Phase 2: F issues queries as in phase 1 except that it has no ability to issue a KE query on ID r and a KD query on (ϕ � , τ � ) to gain the symmetric key.
Now we calculate C's successful probability. If one of the events below is satisfied, C will fail: • E 1 F does not pick ID γ as the receiver's identity in challenge phase.
• E 2 F has issued a KE query on ID γ .
• E 3 C terminates in a KD query due to it refuses a valid encapsulation.

Appendix 4
Proof: we have to let our design fit into the signature scheme described in [54], where the simulation step can be simulated in the absence of the sender's private key (i.e., absence of the master private key). On this occasion, we need an approach to resolve the BDH problem.
First, we observe that the PI-HDATK scheme accords with the requested three-phase honest-verifier zero-knowledge identification protocol, where σ 1 = t is the commitment, h = H 3 (τ, t, pk s , ID r ) is the hash value, and σ 2 = W is the answer.
Second, a simulation step is shown and an approach of how to resolve the BDH problem is given. Given (P, aP, bP, cP) of BDH problem, C needs to compute h = e(P, P) abc . C performs F as a subroutine. F consults C to reply H 1 , H 2 , and H 3 and C holds L 1 , L 2 , and L 3 to preserve the resulting responses. The process below is depicted.
• Setup: C calculates params with P pub = cP and passes them to F . Additionally, C also transmits pk s = aP to F .
• Attack: F executes the following queries.
• H 1 queries C picks g 2 f1; 2; . . . ; q H 1 g. F requests H 1 queries on its choice identities. At the γ-th query, C replies by H 1 (ID γ ) = bP. At the j-th query with j 6 ¼ γ, C picks w j 2 Z � q , inserts (ID j , w j ) in the list L 1 and responds H 1 (ID j ) = w j P.
• H 2 , H 3 queries, KE queries, GSK queries, KES queries, and KD queries are identical to them in Theorem 3.
• Fogery: F outputs a triple (σ � , τ � , ID γ ), where σ � = (W � , V � ). We coalesce ID γ and τ � into a "generalized" forged tag (ID γ , τ � ) to hide the identity-based aspect of the DA-CMA attack, and simulate the setting of an identity-less adaptive-CMA existential forgery. If F is an efficient forger, then we have the capability to constitute a Las Vegas machine F 0 that outputs ((ID γ , τ � ), h � , σ � ) and ððID g ; t � Þ; � h � ; � s � Þ with h � 6 ¼ � h � and the same commitment t � . To resolve the BDH problem based on the machine F 0 , we constitute a machine C 0 as follows.
From the forking lemma [54] and the lemma on relationship between given-identity and chosen-identity attack [55], if F succeeds with probability � datk � 10ðq ke þ 1Þðq ke þ q H 3 Þq H 1 =ð2 k À 1ÞÞ in time t, then C 0 resolves the BDH problem in expected time t � 120686q H 3 q H 1 2 k =� datk ð2 k À 1Þ.