Unbounded and revocable hierarchical identity-based encryption with adaptive security, decryption key exposure resistant, and short public parameters

Qianqian Xing; Baosheng Wang; Xiaofeng Wang; Jing Tao

doi:10.1371/journal.pone.0195204

Abstract

Revocation functionality and hierarchy key delegation are two necessary and crucial requirements to identity-based cryptosystems. Revocable hierarchical identity-based encryption (RHIBE) has attracted a lot of attention in recent years, many RHIBE schemes have been proposed but shown to be either insecure or bounded where they have to fix the maximum hierarchical depth of RHIBE at setup. In this paper, we propose a new unbounded RHIBE scheme with decryption key exposure resilience and with short public system parameters, and prove our RHIBE scheme to be adaptively secure. Our system model is scalable inherently to accommodate more levels of user adaptively with no adding workload or restarting the system. By carefully designing the hybrid games, we overcome the subtle obstacle in applying the dual system encryption methodology for the unbounded and revocable HIBE. To the best of our knowledge, this is the first construction of adaptively secure unbounded RHIBE scheme.

Citation: Xing Q, Wang B, Wang X, Tao J (2018) Unbounded and revocable hierarchical identity-based encryption with adaptive security, decryption key exposure resistant, and short public parameters. PLoS ONE 13(4): e0195204. https://doi.org/10.1371/journal.pone.0195204

Editor: Muhammad Khurram Khan, King Saud University, SAUDI ARABIA

Received: November 2, 2017; Accepted: March 19, 2018; Published: April 12, 2018

Copyright: © 2018 Xing et al. This is an open access article distributed under the terms of the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original author and source are credited.

Data Availability: All relevant data are within the paper. My manuscript focuses on a problem in the cryptography research. All the data for the comparison and evaluation is refered to the relative papers in the references of the paper.

Funding: This work was supported by National Basic Research and Development Program of China (973 Program), No. 2012CB315906, http://program.most.gov.cn/, Baosheng Wang (study design, and decision to publish is his role); and National Key Research and Development Program of China, No. 2017YFB0802301, http://program.most.gov.cn/, Xiaofeng Wang (data analysis and preparation of the manuscript is his role).

Competing interests: The authors have declared that no competing interests exist.

1 Introduction

Revocation functionality is indispensable to (H)IBE since there are threats of leaking a secret key by hacking or legal situation of expiration of contract for using system. In those seminal works [1] [2], it has also been pointed out that providing an efficient key hierarchy delegation mechanism for IBE is essential. To satisfing both hierarchical key delegation and user revocation, revocable hierarchical identity-based encryption (RHIBE) has been paid attention. Unfortunately most of existing RHIBEs proposed [1] [3] [4] [5] [6] [7] are either insecure or bounded where they have to fix the maximum hierarchical depth of RHIBE at setup. Bounded (R)HIBE schemes restrict the maximum hierarchy of (R)HIBE, i.e., they need to declare the max level in the public parameters at setup phase. It is highly impossible to set the maximum hierarchy properly in practice: too small to accommodate enough users or too large that wastes identity space needlessly and increase keys computation unnecessarily.

In contrast, the unbounded RHIBE is more scalable to achieve efficient and dynamic user management. Ryu proposed an unbounded RHIBE scheme [7] inspired by an universe KP-ABE [8]. But it only achieves selective-ID security. In selective-ID security notion, the reduction algorithm requires the challenge identity before the setup phase in the proof [1, 3]. That means the adversary holds no information before giving the challenge ID, but the simulator can exploit the challenge information submitted by the adversary to construct the trick public parameters and other keys in games. That is a weaker security notion.

Adaptive-ID security represents full security notion that an adversary gives the challenge identify when he has learnt the public information. Lee [5] considered the adaptively secure RHIBE but his scheme don’t support the property of unbounded hierarchical key delegation. Xing [9] claimed to achive the first adaptively secure and unbounded RHIBE, but its security proof that uses the dual system encryption technique has some flaws. Therefore, the construction of an adaptively secure unbounded RHIBE scheme is still an unsolved open problem.

1.1 Our techniques

The dual system encryption framework [10] is usually for proving the adaptive security of HIBEs in composite-order bilinear groups. To achieve the adaptive security in the framework, the notion of semi-functionality is introduced [10] [11] and the proof strategy is that a normal challenge ciphertext is changed to be semi-functional, and then each normal private key is changed to be semi-functional one by one through hybrid games.

There is a paradox that need to be overcome. Since a normal ciphertext can be decrypted by a semi-functional private key but a semi-functional ciphertext cannot be decrypted by a semi-functional private key, a simulator can check whether a private key is normal or semi-functional by decrypting a semi-functional ciphertext(note that a simulator can generate a ciphertext and a private key for any identity). To overcome the obstacle, the nominally semi-functional type of private keys is introduced: the challenge semi-functional private key is constructed as a nominally semi-functional private key so that the semi-functional ciphertext of the same identity the simulator generates always can be decrypted by it. In addition, a detailed information theoretic argument should be given to argue that a nominally semi-functional key is indistinguishable from a semi-functional key.

Although the dual system encryption is maturing to exploit in normal HIBEs to achieve the adaptive security, it is more complex when dealing with revocable HIBE schemes. In HIBE, the essential restriction for the information theoretic argument is that an adversary cannot query a private key for ID that is a prefix of the challenge identity ID*. However, the restriction do not exist in RHIBEs. The private key of any prefix of ID* and the update key for the challenge time T* are both allowed to query for the adversary in RHIBEs. Recall that the simulator of an HIBE scheme can change the normal-private key to a semi-functional private key by using a nominally semi-functional key and the constraint ID ∉ Prefix(ID*) of the security model. The nominally semi-functional key is indistinguishable from a semi-functional key by an information theoretic argument using the constraint ID ∉ Prefix(ID*). However, in the case of (U-)RHIBE, a simple method cannot change the normal-private key to the semi-functional private key since the adversary can query and achieve the private key for any ID ∈ Prefix(ID*).

Moreover, an unbounded RHIBE scheme has so low entropy context that it is hard to execute an information-theoretic argument, which is different with those bounded RHIBE schemes. So the dual system encryption method in Lee-RHIBE [5] does not work. Although Lewko and Waters [12] has proposed a nested dual system encryption approach to allow a sufficient information-theoretic argument in a very localized context for unbounded HIBEs, the trival applying to a revocable extention scheme is inappropriate to hold the paradox information theoretic argument. Unfortunately Xing and Wang [9] have neglected this important change, so that the proof of their unbounded RHIBE scheme is non-rigorous with flaws. Obviously the attacker can distinguish between the oracles they design for the game hoppings in [9], which is not as they claimed in Lemma 4.

To circumvent the subtle obstacle and apply the dual system encryption methodology for our adaptively secure unbounded RHIBE with decryption key exposure resistance, our strategy is threehold:

(1) We use a modular design strategy like [13] and construct the private keys and update keys from smaller component keys. A private key consists of many HIBE private keys that are related to a path in a binary tree and an update key also consists of many IBE private keys that are related to a cover set in a binary tree. The HIBE and IBE private keys can be grouped together if they are related to the same node in a binary tree. So we change to deal with the transformation of component HIBE and IBE keys in the hybrid games instead of directly with the private keys and update keys of RHIBE which cannot be simply changed from normal keys to semi-functional keys.

(2) We design a nested dual system encryption for revocable and hierarchical IBE schemes with the concept of ephemeral semi-functionality for secret keys, update keys, decryption keys and ciphertexts. To demonstrate a hybrid process of games to chellenge keys and ciphertexts, we define several oracles to simulate the different forms of the component HIBE and IBE keys which construct the semi-functional or ephemeral semi-functional secret keys, update keys and decryption keys.

(3) For showing an information theoretic argument under RHIBE model successfully, we firstly classify the behavior of an adversary as two types under the restriction of the RHIBE security model. The Type-1 adversary is restricted to queries on the secret keys of any hierarchical identity satistying , so we carefully re-design a sequence of hybrid games to show several times of information theoretic arguments successfully for the secret keys and avoid a potential paradox for the update keys. The Type-2 adversary is restricted to queries on the update keys on the time T ∉ T*, so we carefully re-design the other sequence of hybrid games to show several times of information theoretic argument successfully for the update keys and avoid a potential paradox for the secret keys.

1.2 Our result

We propose the first adaptively secure unbounded RHIBE in composite-order bilinear groups under simple static assumptions. It removes the limitation of the maximum hierarchical depth in the encryption system and accommodate more levels of user adaptively without adding workload or restarting the system. Our RHIBE scheme also supports decryption key exposure resistance by the key-randomization method which meets the strong security notion for R(H)IBE [14].

Compared to existing RHIBE schemes, it is the first RHIBE to achieve simultaneously adaptive-ID security, decryption key exposure resistance and unbounded key delegation, as shown in Table 1. In Table 2, we discuss the comparison about the efficiency of key space and decryption computation, noted that l is the maximum level of the hierarchy, h is the level of a user in the hierarchy, N is the number of maximum users in each level, r is the number of revoked users, t_e is the cost for performing a bilinear pairing, |G| and |G_T| are the sizes of one element in G and G_T respectively. Our RHIBE scheme has the short and constant public parameter which is independent with the maximum level of the system hierarchy. Moreover, our RHIBE reduces the size of the update key from O(hrlog(N/r))to O(h + rlog(N/r)).

Download:

Table 1. Comparisons among RHIBE schemes.

https://doi.org/10.1371/journal.pone.0195204.t001

Download:

Table 2. Comparisons among RHIBE schemes.cont.

https://doi.org/10.1371/journal.pone.0195204.t002

1.3 Related works

Efficient user revocation in RHIBE.

An efficient tree-based key updating technique called the complete subtree (CS) method is a specific instance of the subset cover framework of Naor et al. [15]. In the scalable RIBEs using the CS method [16] [17] [14] [18] [19], every user holds a secret key composed of logN subkeys, where N is the number of all users, and only one subkey of a non-revoked user can be used to generate a decryption key. If we directly extend this mechanism to RHIBE scheme, the second-level user need to prepare (logN)² subkeys since for every subkey of his parent he needs to generate logN subkeys respectively, which results to (logN)^l subkeys for an l-level user. Tsai et al. simply set the update key as another secret key in their RHIBE scheme [4]. Their construction is just as a trivial combination of two concurrent HIBE system, one for the derivation of secret keys and another for update keys. Lack of any efficient method of update and revocation, the size of the update key depends on the size of users linearly instead of logarithmically. Moreover, his approach require a new key center for update keys (called delegated revocation authority, DRA). That double deployment of key centers increases the system cost. Seo and Emura proposed a revocable HIBE scheme [1] with (l²logN)-size secret keys for a user, where l is the maximum hierarchical level. This history preserving update method leads to a lengthy history information in an update key and requires the recursive definition of secret keys and update keys. Afterward Seo proposed a RHIBE with (l ⋅ logN)-size secret keys for a user by a history-free update method. Recently, Lee and Park [13] proposed a new RHIBE scheme with shorter private keys and update keys by combining a new HIBE scheme that has short intermediate private keys and the CS scheme in a modular way, where the size of the secret key is (logN) and the size of the update key is (l + rlog(N/r)). Another revocation method called the subset difference (SD) method [20] was utilized to construct the RHIBE in [3] [13] [5]. Although this method has better performance in the transmission complexity, it has larger secret key size than the CS method.

Security model of R(H)IBE.

Decryption key exposure resistance (DKER) has be considered by Seo [14], which discusses about the case where several decryption keys dk_{I*, T} for the target identity I* are leaked to an adversary but the target decryption key dk_{I*, T*} is not exposed. Another attacks should be considered like insiders attack [3]. Since the hierarchical structure in RHIBE determines that every user as a low-level KGC hold the state information about his low-level children users, a stronger security model than RIBE should be considered where it allows an insider adversary to access at least their own state information. The key re-randomization method [3] is an operable way to resist this attack and also decryption key enclosure attack mentioned in [3, 14].

Adaptive security of R(H)IBE.

By employing dual system encryption methodology [10, 11], the adaptive-ID security can be directly proved in (H)IBE. But the security model of revocable HIBE is different from general HIBEs, since the system of RHIBE just not allow the decryption key query of the challenge identity and its ancestor at the challenge time, but allows the secret key query of the challenge identity and its ancestor identity. Therefore, the dual system encryption of RHIBE is more complex than general dual system of HIBE. Those adaptive-ID secure RHIBEs [6] [5] employed the dual system encryptions which are applicable to bounded schemes. Their proof strategy cannot be employed to unbounded (R)HIBE schemes, cause the limited entropy available in the public parameters in unbounded schemes makes it difficult to construct the nominally semi-functional key without information-theoretic exposure. By applying the dual system encryption methodology in prime-order, Yohei [21] realizes an RIBE scheme with constant-size public parameter under static assumptions in prime-order groups.

2 Preliminaries

2.1 Revocable HIBE

Definition 1 We define a RHIBE scheme π = (Setup, GenKey, DeriveKey, UpdateKey, Encrypt, Decrypt, Revoke) as following:

Setup(1^λ): It takes a security parameter λ, and outputs a master public key PP, a master secret key MK, initial state ST₀, and an empty revocation list RL. Note that we don’t require the maximum number of users in each level as an input parameter, unlike the defination by all the bounded RHIBEs.
GenKey(ID|_k, ST_{ID|_k−1}, PP): This algorithm takes as input ST_{ID|_k−1} and an identity ID|_k outputs the secret key SK_{ID|_k}, and updates ST_{ID|_k−1}.
UpdateKey(T, RL_{ID|_k−1}, DK_{ID|_k−1,T}, ST_{ID|_k−1}, PP): This algorithm takes as input the revocation list RL_{ID|_k−1}, state information ST_{ID|_k−1}, the decryption key DK_{ID|_k−1,T},and a time period T. Then, it outputs the update key UK_{ID|_k−1,T}.
DeriveKey(SK_{ID|_k}, UK_{ID|_k−1,T}, PP): This algorithm takes as input SK_{ID|_k} of ID|_k and UK_{ID|_k−1,T}, and outputs the decryption key DK_{ID|_k, T} of ID|_k at time T if ID|_k is not revoked at T by the parent, else outputs ⊥.
Encrypt(ID|_l, T, M, PP): This algorithm takes as input a message M, ID|_l and the current time T and outputs the ciphertext CT.
Decrypt(CT_{ID|_l, T}, DK_{ID′|_k, T′}, PP): This algorithm takes as input CT_{ID|_l, T} and DK_{ID′|_k, T′}, and outputs the message if ID′|_k is a prefix of ID|_l and T T = T′, else outputs ⊥.
Revoke(RL_{ID|_k−1}, ST_{ID|_k−1}, ID|_k, T): This algorithm takes as input ID|_k and T, updates RL_{ID|_k−1} managed by ID|_k−1, who is the parent user of ID|_k, by adding (ID|_k, T).

Definition 2 We define an experiment under the adaptive-ID security against chosen plaintext attacks model in [5], as named “IND-RID-CPA” security.

In the above experiment, O is a set of oracles {SKGen_Q(⋅), KeyUp_Q(⋅, ⋅), Revoke_Q(⋅, ⋅), DKGen_Q(⋅, ⋅)} defined as follows:

SKGen_Q(⋅): For ID|_k ∈ , it returns SK_{ID|_k} (by running GenKey(ID|_k, ST_{ID|_k−1}, PP)→ SK_{ID|_k}).
KeyUp_Q(⋅, ⋅): For T ∈ and BT_{ID|_k−1}, it returns KU_{T, ID|_k−1} (by running UpdateKey(T, RL_{ID|_k−1}, DK_{ID|_k−1}, ST_{ID|_k−1}, PP) → KU_t).
Revoke_Q(⋅, ⋅): For ID|_k ∈ and T ∈ , it returns the updated revocation list RL (by running Revoke(RL_{ID|_k−1}, ST_{ID|_k−1}, ID|_k, T)).
DKGen_Q(⋅, ⋅): For ID|_k ∈ and T ∈ , it returns DK_{ID|_k, T} (by running DeriveKey(SK_{ID|_k}, UK_{ID|_k−1,T}, PP)→DK_{ID|_k, T}).

is allowed to issue the above oracles with the following restrictions:

Revoke_Q(⋅, ⋅) can be queried on time T if KeyUp_Q(⋅) was queried on T.
DKGen_Q(⋅, ⋅) cannot be queried on time T before KeyUp_Q(⋅) was queried on T.
If requested a private key query for that is a prefix of where k ≤ l, then the identity or one of its ancestors should be revoked at some time T where T ≤ T*.
A cannot request a decryption key query for the challenge identity ID*|_l or its ancestors on the challenge time T*.
cannot request a revocation query for ID|_k on time T if he already requested an update key query for ID|_k in time T.
must query to KeyUp(⋅, ⋅) and Revoke(⋅, ⋅) for same identity in increasing order of time.

The advantage of is defined as . We say that RHIBE is IND-RID-CPA secure if for all PPT adversary , his advantage is negligible in the security parameter λ.

2.2 Complexity assumptions

We generate where G and G_T be cyclic groups with order N and p = p₁ p₂ p₃, p₁, p₂, p₃ are distinct prime numbers, e: G×G→ G_T is an efficient, nondegenerate bilinear map. We denote the subgroup of G with order p_i as G_{p_i}. We define a function for any PPT algorithm and parameters D, T₁, T₂.

Assumption 1. Let , , , , we say that satisfies Assumption 1 if is a negligible function of λ for any PPT algorithm is .

Assumption 2. Let , , , , T₁ be e(g, g)^αs, , D = , we say that satisfies Assumption 2 if is a negligible function of λ for any PPT algorithm is .

Assumption 3. Let , , , , , D = , we say that satisfies Assumption 3 if is a negligible function of λ for any PPT algorithm is .

Assumption 4. Let , , , , , D = , we say that satisfies Assumption 4 if is a negligible function of λ for any PPT algorithm is .

3 Design of U-RHIBE system

We firstly describe the key encapsulation mechanism (KEM) version of the unbounded HIBE scheme [12] and its 1-level (H)IBE scheme that are used as the building blocks of our RHIBE schemes. Let be the bilinear group, where λ is a security parameter and g₂ denotes a generator of G_p₂, g₃ denotes a generator of G_p₃ and g be a generator of G_p₁.

3.1 HIBE scheme

We define a key-group function κ(I, y, r) as the group elements and an expression g^λ κ(I, y, r) as

HIBE.Setup(GS): It selects and . It outputs a master key MK = α and public parameters PP = ((p, G, G_T, e), g, u, h, w, v, Ω = e(g, g)^α).

HIBE.GenKey(ID|_k, MK, PP): Let the identity , and be the identity space. It chooses where λ₁ + ⋯ + λ_k = α and outputs a private key .

HIBE.RandKey(ID|_k, SK_{ID|_k}, PP): Let . It chooses where λ₁ + ⋯ + λ_k = 0 and outputs a re-randomized private key .

HIBE.Delegate(ID|_k, SK_{ID|_k−1}, PP): Let . It chooses where λ₁ + ⋯ + λ_k = 0 and creates a temporal delegated private key . Next, it outputs a delegated private key SK_{ID|_k} by running HIBE.RandKey(ID|_k, TSK_{ID|_k}, PP).

HIBE.Encaps(ID|_l, s, PP): Let ID|_l = (I₁, …, I_l) ∈ I^l. It chooses and outputs a ciphertext and a session key EK = Ω^s.

HIBE.Decaps(CT_{ID|_l}, SK_{ID′|_k}, PP): Let , . If ID′|_k is a prefix of ID|_l, it outputs a session key e(C_i,2, K_i,2))). Otherwise, it outputs ⊥.

Additionally, we introduce two algorithms for our modular RHIBE construction, the ChangeKey algorithm and the MergeKey algorithm, which are defined similarly with the algorithms in [5].

HIBE.ChangeKey(SK_{ID|_K}, δ, PP): Let . It chooses where λ₁ + ⋯ + λ_k = δ and sets . It outputs a new private key SK_{ID|_K} ← HIBE.RandKey(ID|_k, TSK_(n), PP).

HIBE.MergeKey: Let and be two private keys for the same identity ID|_K. It computes a temporal private key . Next, it outputs a merged private key SK_{ID|_K} ← HIBE.ChangeKey(TSK, η, PP). Note that the master key part is α₁ + α₂ + η if the master key parts of and are α₁ and α₂ respectively.

3.2 IBE scheme

A trivial extension to RHIBE from the HIBE in [12] constructs the decryption key of (T, ID|_k) as . It remains some problem in the proof of RHIBE model, where the information theoretic argument is not easy to show as of the model of HIBE. So we modify the construction by defining a new update-key-group function as (1) and D₀ = , which is constructed from the component IBE secret key.

IBE.Setup(GS): It selects and . It outputs a master key MK = β and public parameters PP = ((p, G, G_T, e), g, u₀, h₀, w₀, v₀, Ω = e(g, g)^β).

IBE.GenKey(T, MK, PP): This algorithm takes as input a time T and the master key MK, and the public parameters PP. It chooses and outputs a IBE secret key SK_T = g^α κ_T(T, y, r).

IBE.RandKey(T, SK_T, PP): Let the private key be . It chooses and outputs a re-randomized private key .

IBE.Encaps(T, s, PP): It chooses and outputs a ciphertext and the session key EK = Ω^s.

IBE.Decaps(CT_T, SK_T′, PP): Let the ciphertext CT_T = (C₀, C₁, C₂, C₃), the private key SK_T = (K₀, K₁, K₂, K₃). If T = T′, it outputs a session key EK = e(C₀, K₀)e(C₃, K₃)/(e(C₁, K₁) e(C₂, K₂)). Otherwise, it outputs ⊥.

The contruction of IBE.ChangeKey and IBE.MergeKey is similar with HIBE.ChangeKey and HIBE.MergeKey and we omit them here.

3.3 The CS method

We exploit the complete subtree (CS) method to construct our RHIBE scheme. We follow the definition of the CS scheme in the work of Lee and Park [22].

CS.Setup(N_max): Let N_max = 2ⁿ. It first sets a full binary tree of depth n. Each user is assigned to a different leaf node in . The collection S is defined as {S_i} where S_i is the set of all leaves in a subtree with a subroot . It outputs the full binary tree .

CS.Assign: Let v_ID be a leaf node of that is assigned to the user ID. Let (v_k₀, v_k₁, ⋯, v_{k_n}) be the path from the root node v_k₀ = v₀ to the leaf node v_{k_n} = v_ID. For all j ∈ {k₀, ⋯, k_n}, it adds S_j into PV_ID. It outputs the private set PV_ID = {S_j}.

CS.Cover: It first computes the Steiner tree ST(R). Let be all the subtrees of that hang off ST(R), that is all subtrees whose roots v_k₁, ⋯, v_{k_m} are not in ST(R) but adjacent to nodes of outdegree 1 in ST(R). For all i ∈ {k₁, ⋯, k_m}, it adds S_i into CV_R. It outputs a covering set CV_R = {S_i}.

CS.Match(CV_R, PV_ID): It finds a subset S_k with S_k ∈ CV_R and S_k ∈ PV_ID. If there is such a subset, it outputs S_k. Otherwise, it outputs ⊥.

3.4 Construction

RHIBE.Setup(1^λ, N_max): The Setup algorithm takes a security parameter λ and a maximum number of users for each level N_max as input. It firstly runs to obtains two groups G, G_T of order p = p₁p₂p₃, where p₁, p₂, p₃ are distinct primes, and a bilinear map e: G×G→G_T. It sets GS = ((N, G, G_T, e), g, g₂, g₃) where g, g₂ and g₃ denote the generators of G_p₁, G_p₂, and G_p₃ in order. It selects a random exponent α ∈ Z_p, set Ω be e(g, g)^α. It outputs a master key MK = α and public parameters PP = (PP_HIBE, PP_IBE, Ω, N_max), where PP_HIBE ← HIBE.Setup(GS), and PP_IBE ← IBE.Setup(GS).

RHIBE.GenKey(ID|_k, ST_{ID|_k−1}, PP): This algorithm takes as input an identity ID|_k = (I₁, …, I_k) ∈ , the state ST_{ID|_k−1} which contains BT_{ID|_k−1}.

If ST_{ID|_k−1} is empty, it obtains BT_{ID|_k−1} ← CS.Setup(N_max) and then it sets ST_{ID|_k−1} = (BT_{ID|_k−1}, β_{ID_k−1}, z_{ID_k−1}), where β_{ID_k−1} is a false master key and z_{ID_k−1} is a PRF key.
It first assigns ID|_k to a random leaf node v ∈ BT_{ID|_k−1} and obtains a node set Path(ID|_k) ← CS.Assign(BT_{ID|_k−1}, ID|_k) for ID|_k. For each S_θ ∈ Path, it computes γ_θ = PRF (z_{ID_k−1}, L_θ) where L_θ = Label (S_θ) and obtains an HIBE private key SK_{HIBE,S_θ} ← HIBE.GenKey(ID|_k, γ_θ, PP). Finally, it outputs a private key SK_{ID|_k} = (Path, {SK_{HIBE,S_θ}}_{S_θ∈Path}). Note that the master key part of SK_{HIBE,S_θ} is γ_θ.

RHIBE.UpdateKey(T, RL_{ID|_k−1}, DK_{ID|_k−1}, ST_{ID|_k−1}, PP): let , the state ST_{ID|_k−1} = (BT_{ID|_k−1}, β_{ID|_k−1}, z_{ID|_k−1}) with k ≥ 1.

It first obtains a randomized decryption key RDK_{ID|_k−1,T} as (RSK_IBE, RSK_HIBE)←RHIBE.RandDK(DK_{ID|_k,T}, −β_{ID|_k−1}, PP).
It derives the set of revoked identities R at time T from RL_{ID|_k−1}. Next, it obtains a covering set CV_R = {S_i} by running CS.Cover(BT_{ID|_k−1}, R).
For each S_i ∈ CV_R, it computes γ_i = PRF(z_{ID_k−1}, L_i) where L_i = Label(S_i) and obtains an IBE private key . Then It computes
It finally outputs an update key UK_{ID|_k−1,T} = (CV_R, {SK_{IBE,S_i}, RSK_HIBE}_{S_i ∈ CV_R}). Note that the master key parts of RSK_HIBE and SK_{IBE, S_i} are η′ and α − η′ − γ_i for some random η′ respectively.

RHIBE.DeriveKey(SK_{ID|_k}, UK_{ID|_k−1,T}, PP): This algorithm takes as input a private key SK_{ID|_k} = (Path, {SK_{HIBE,S_θ}}_{S_θ ∈ Path}) for an identity ID|_k, an update key for time T.

If K = 0, then SK_ID|₀ = MK = α and UK_ID|₋₁,T is empty. It selects a random exponent η ∈ Z_p. It then obtains RSK_{HIBE, ID|₀} ← HIBE.GenKey(ID|₀, η, PP) and RSK_IBE,T ← IBE.GenKey(T, α − η, PP). It outputs a decryption key DK_ID|₀,T = (RSK_{IBE, T}, RSK_{HIBE, ID|₀}).
If k ≥ 1, then if ID|_k ∉ RL_{ID|_k−1}, then it obtains (S_i, S_i) by running CS.Match(CV_R, Path). Otherwise, it outputs ⊥. It derives SK_{HIBE,S_i} from SK_{ID|_k} and SK_{IBE,S_i} from UK_{ID|_k−1,T}.
It obtains PP) since ID|_k−1 ∈ Prefix(ID|_k). Next, it selects a random exponent η ∈ Z_p, obtains SK_{HIBE,S_i}, η, PP) and obtains RSK_IBE,T ← IBE.ChangeKey(SK_{IBE,S_i}, −η, PP) respectively. Finally, it outputs a decryption key DK_{ID|_k,T} = (RSK_IBE,T, RSK_{HIBE, ID|_k}).

Note that the master key parts of RSK_{HIBE, ID|_k} and RSK_{IBE, T} are η′ and α − η′ for some random η′ respectively.

RHIBE.RandDK: Let , and β ∈ Z_p be an exponent. It first selects a random exponent η and obtains and PP). It outputs a re-randomized decryption key DK_{ID|_k,T} = (RSK_IBE,T, RSK_{HIBE, ID|_k}).

RHIBE.Encrypt(ID|_l, T, M, PP): This algorithm takes as input an identity , time T, a message . It chooses a random exponent t ∈ Z_p. Next it obtains (CH_{HIBE,ID|_l}, EK_HIBE) ← HIBE.Encaps(ID|_l, t, PP). It also obtains (CH_IBE,T, EK_IBE) ← IBE.Encaps(T, t, PP). It outputs a ciphertext CT_{ID|_k,T} = (CH_IBE,T, CH_{HIBE,ID|_l}, C = Ω^t ⋅ M).

RHIBE.Decrypt(CT_{ID|_l,T}, DK_{ID′|_k,T′}, PP): This algorithm takes as input a ciphertext CT_{ID|_l,T} = (CH_IBE,T, CH_{HIBE,ID|_l}, C), a decryption key DK_{ID′|_k,T′} = (RSK_IBE,T′, RSK_{HIBE,ID′|_k}). If ID′|_k is a prefix of ID|_l and T = T′, then it obtains EK_HIBE ← HIBE.Decaps(CH_{HIBE,ID|_l}, RSK_{HIBE,ID|_k}, PP) and EK_IBE ← IBE.Decaps(CH_IBE,T, RSK_IBE,T, PP). Otherwise, it outputs ⊥. It outputs an encrypted message by computing M = C ⋅ (EK_HIBE ⋅ EK_IBE)⁻¹.

RHIBE.Revoke(ID|_k, T, RL_{ID|_k−1}, ST_{ID|_k−1}): This algorithm takes as input an identity ID|_k, revocation time T, the revocation list RL_{ID|_k−1}, and the state ST_{ID|_k−1}. If (ID|_k, −) ∉ ST_{ID|_k−1}, then it outputs ⊥ since the private key of ID|_k was not generated. Otherwise, it adds (ID|_k, T) to RL_{ID|_k−1} and outputs the updated revocation list RL_{ID|_k−1}.

3.5 Correctness

If a user is not revoked at time T, the RHIBE.DeriveKey algorithm correctly derive his decryption key DK_{ID|_k,T} as

The RHIBE.Decrypt algorithm takes CT_{ID|_l,T} as input, where and computes B = C/M as

4 Security analysis

We use the dual system encryption proof techinique to prove the adaptive security of our U-RHIBE. We adopt the concept of ephemeral semi-functionality [12] and design a new nested dual system encryption for unbounded RHIBEs. As an intermediary transforming stage between the normal and semi-functional distributions, the ephemeral semi-functionality helps us to overcome the challenge presented by low entropy in the public parameters.

Theorem 1 Our unbounded RHIBE scheme is IND-RID-CPA secure if Assumption 1–4 hold.

Proof We firstly define the semi-functional type and the ephemeral semi-functional types of keys and ciphertexts in Sec.4.1 which represent the types of keys and ciphertexts answered to the queries in the challenge game. Secondly we conduct the security proof by the indistinguishabilities of a sequence of hybrid games that we define in Sec.4.2.

4.1 Definition of (ephemeral) semi-functional keys and ciphertexts

For constructing the different types of ciphertexts, secret keys, update keys and decryption keys, the challenger is initially given renadom elements g, u, v, w, u₀, v₀, w₀ ∈ G_p₁, g₂ ∈ G_p₂, g₃ ∈ G_p₃, as well as random exponents ψ₁, ψ₂, σ₁, σ₂, a′, b′, s, δ₁, δ₂, γ.

We define the semi-functional ciphertext and five types of ephemeral semi-functional ciphertexts of a normal ciphertext CT_{ID|_l,T} by changing the C₀ element into G_p₁p₂ and the l + 1 numbers of the ciphertext-element-groups (C_i,1, C_i,2, C_i,3) into different types. The definations of ephemeral semi-functional ciphertexts called ESF-1-CT, ESF-2^k-CT, ESF-3^k-CT, ESF-4^k-CT and ESF-5-CT where 0 ≤ k ≤ l are in Appendix.A. In the definations of the semi-functional ciphertext, we add G_p₂ term on the first element of all ciphertext-element-groups.

RHIBE.EncryptSF: It firstly obtains the normal ciphertext CT_{ID|_l,T} = (C, C₀, ) for an identity , a time and a message . It chooses exponents γ, δ₁, δ₂ ∈ Z_p and outputs the SF-CT as

As we mentioned before, our normal secret key and update key cannot be simply changed to semi-functional keys as same as in [11] one by one owing to the inefficiency of the information theoretic argument in our scheme. And we divide secret keys and update keys into samll component keys which are group together if they are related to the same node in a binary tree.

We only change the last element-group of our normal secret key for constructing the semi-functional secret key and the ephemeral semi-functional secret key like in [11]. We define one type of semi-functional secret key and five types of ephemeral semi-functional secret key. The defination of ephemeral semi-functional secret key called ESF-1-SK, ESF-2-SK, ESF-3-SK, ESF-4-SK and ESF-5-SK are in Appendix.A. In the defination of the semi-functional secret key, we add G_{p₂ p₃} term on the first 2 elements and the last element of the last element-group.

RHIBE.SKeySF : It constructs the correlative sub-key to the node θ ∈ Path(ID_j) in the BT_{ID|_j−1} as follows: It chooses random exponents y′, r ∈ Z_p and choose σ₁, ψ₁ ∈ Z_p, then it constructs κ^sf(I_j, y′, r) for the last element-group as

And the contruction of the other element-groups follows the construction of SK_{HIBE,S_θ} in RHIBE.GenKey.

We define one type of semi-functional update key and five types of ephemeral semi-functional update key. The defination of ephemeral semi-functional update key called ESF-1-UK, ESF-2-UK, ESF-3-UK, ESF-4-UK and ESF-5-UK are in Appendix.A. The constructions from the normal component update key to the (ephemeral) semi-functional component update keys are similar to that of secret keys, expect that we change the first element group of normal component update key to different types.

RHIBE.UpdateKeySF : It constructs the correlative component key to the node θ ∈ KUNode as follows: It chooses random exponents y′, r ∈ Z_p and choose σ₂, ψ₂ ∈ Z_p, then it constructs of the first element-group (U_0,0, U_0,1, U_0,2, U_0,3) as

And the contruction of the other element-groups follows the construction of RSK_HIBE and SK_{IBE,S_θ} in RHIBE.UpdateKey.

RHIBE.DeriveKeySF: Let be a semi-functional secret key generated by the RHIBE.GenKeySF algorithm and be a semi-functional update key for time T generated by the RHIBE.UpdateKeySF algorithm. If ID|_k ∉ RL_{ID|_k−1}, then it finds a unique node θ* by running CS.Match(CV_R(BT_{ID|_k−1}, RL_{ID|_k−1}, T), Path(ID|_k)). Otherwise, it outputs ⊥. It derives from and from for the node θ*. Then the semi-functional decryption key is as Then we re-randomize it by running RHIBE.RandDK and output it.

4.2 Sequence of games

We define a squence of games to verify the advantage in distinguishing G_Real and G_Final is negligible. In Table 3, we give the types of key in the queries and the challenge cipertext in every game, and the decryption situation according to the types of keys and ciphertexts.

Download:

Table 3. Defination of games.

https://doi.org/10.1371/journal.pone.0195204.t003

G_Real: It is the original game in which all seceret keys, update keys, decryption keys and ciphertexts are normal.

G_C: The challenge ciphertext is changed to be semi-functional and all other keys are still normal.

G_C′: This game is exactly like Game_C, except for a added restriction about the challenge key identity vector. We explain the restriction in Sec.4.6.

G_E−S: The secret keys are changed to ESF-2. The update keys and decryption keys are still normal. The challenge ciphertext is semi-functional. This game is used in the proof of the security against Type-1 adversary.

G_E−U: The update keys are changed to ESF-2. The secret keys and decryption keys are still normal. The challenge ciphertext is semi-functional. This game is used in the proof of the security against Type-2 adversary.

G_E−S′: This game is almost as same as G_E−S except the challenge ciphertext is chaged to ESF-1. This game is used in the proof of the security against Type-1 adversary.

G_E−U′: This game is almost as same as G_E−U where the update keys are ESF-2, the secret keys and decryption keys are normal, except the challenge ciphertext is chaged to ESF-1. This game is used in the proof of the security against Type-2 adversary.

G_ESF′: The update keys and secret keys are all changed to ESF-2. The challenge ciphertext is changed to ESF-1. The decryption keys are still normal.

G_SF″: All secret keys, update keys, and challenge ciphertext are changed to semi-functional. The decryption keys are still normal.

G_E−D: The decryption keys are changed to ESF-2. The other keys and the challenge ciphertext are still semi-functional.

G_ESF: The challenge ciphertext is changed to ESF-1. The update keys and secret keys are all still semi-functional. The decryption keys are still ESF-2.

G_SF′: The challenge ciphertext is changed to semi-functional. The decryption keys are changed to be semi-functional. That is, all secret keys, update keys, decryption keys, and challenge ciphertext are now semi-functional. This game is exactly like G_SF, except for a added restriction about the challenge key identity vector. We explain the restriction in Sec.4.6.

G_SF: The challenge ciphertext and all keys are semi-functional.

G_Final: The session key is changed to be random and so the adversary has no advantage to distinguish the challenge massage.

Let be the advantage of in the real game. From the all the lemmas in this section, we obtain the following equation

4.3 Definition of oracles

We introduce seven oracles which answer queries from the challenger by sampling various distributions of group elements from a composite order bilinear group. The outputs of Oracle O_i will allow a simulator to produce different type of secret keys, update keys and decryption keys, different type of ciphertext and challenge keys for one corresponding game demonstrated in Table 3.

All oracles are defined with respect to a bilinear group G of order p = p₁p₂p₃ and initially choose random elements g, u, v, w, u₀, v₀, w₀ ∈ G_p₁, g₂ ∈ G_p₂, g₃ ∈ G_p₃ as well as random exponents ψ₁, ψ₂, σ₁, σ₂, a′, b′, s, δ₁, δ₂, γ ∈ Z_n. They provide the attacker with a description of the group G, as well as the group elements (2)

Every oracle is allowed to simulate the semi-functional ciphertexts, normal and semi-functional (H)IBE private keys according to the provided group elements in Eq 2. We define the oracles from O₀ to O₄ in which the simulators will be allowed to produce a normal challenge decryption key. The outputs of Oracle O₀ will allow a simulator to produce a semi-functional challenge ciphertext, a normal challenge (H)IBE private key. The outputs of Oracle O₁ will allow a simulator to produce a semi-functional challenge ciphertext, a type-2 ephemeral semi-functional (ESF-2) challenge HIBE private key and a normal challenge IBE private key. The outputs of Oracle O_1⁺ will allow a simulator to produce a semi-functional challenge ciphertext, an type-2 ephemeral semi-functional (ESF-2) challenge IBE private key an normal challenge HIBE private key. The outputs of Oracle O₃ will allow a simulator to produce a type-1 ephemeral semi-functional(ESF-1) ciphertext, and a type-2 ephemeral semi-functional(ESF-2) challenge (H)IBE private key. Finally, the outputs of Oracle O₄ will allow a simulator to produce a semi-functional challenge ciphertext, and a semi-functional challenge (H)IBE private key.

We define the oracles from O₅ to O₇ in which the simulators will be allowed to produce a semi-functional challenge (H)IBE key. The outputs of Oracle O₅ will allow a simulator to produce a semi-functional ciphertext, and an ephemeral semi-functional challenge decryption key. The outputs of Oracle O₆ will allow a simulator to produce an type-1 ephemeral semi-functional(ESF-1) ciphertext, and a type-2 ephemeral semi-functional(ESF-2) challenge decryption key. Finally, the outputs of Oracle O₇ will allow a simulator to produce a semi-functional ciphertext, and a semi-functional challenge decryption key.

Oracle O₀ The first oracle, which we will denote by O₀, responds to queries as follows. Upon receiving a challenge HIBE-key-type query for I ∈ Z_n, it chooses r, y′ ∈ Z_n randomly and returns the group elements (3) to the attacker. Upon receiving a challenge IBE-key-type query for T ∈ Z_n, it chooses r′, y″ ∈ Z_n randomly and returns the group elements (4) to the attacker. Upon receiving a challenge decryption-key-type query for I ∈ Z_n and T ∈ Z_n, it chooses r, y′, r′, y″ ∈ Z_n randomly and returns the group elements (5) to the attacker. Upon receiving a ciphertext-type query for I* ∈ Z_n, it chooses t ∈ Z_n randomly and returns the group elements (6) to the attacker. Upon receiving a ciphertext-type query for T* ∈ Z_n, it chooses t₀ ∈ Z_n randomly and returns the group elements (7) to the attacker.

Oracle O₁ The next oracle, which we will denote by O₁, responds to queries as follows. Upon receiving a challenge HIBE-key-type query for I ∈ Z_n, it chooses r″, y‴ ∈ Z_n randomly, and also chooses X₂, Y₂ ∈ G_p₂, X₃, Y₃ ∈ G_p₃ randomly. It returns the group elements (8) to the attacker. It responds to a ciphertext-type query, a challenge IBE-key-type query and a challenge decryption-key-type query in the same way as O₀.

Oracle O_1⁺ The oracle O_1⁺ responds to queries as follows. Upon receiving a challenge IBE-key-type query for T ∈ Z_n, it chooses r″, y‴ ∈ Z_n randomly, and also chooses X₂, Y₂ ∈ G_p₂, X₃, Y₃ ∈ G_p₃ randomly. It returns the group elements (9) to the attacker. It responds to a ciphertext-type query, a challenge HIBE-key-type query and a challenge decryption-key-type query in the same way as O₀.

Oracle O₂ The next oracle, which we will denote by O₂, responds to queries as follows. Upon receiving a challenge HIBE-key-type query and a challenge IBE-key-type query, it responds in the same way as O₁. Upon receiving a ciphertext-type query for I* ∈ Z_n, it chooses t ∈ Z_n randomly and returns the group elements (10) to the attacker. Upon receiving a ciphertext-type query for T* ∈ Z_n, it chooses t₀ ∈ Z_n randomly and returns the group elements (11) to the attacker. It responds to a challenge decryption-key-type query in the same way as O₀.

Oracle O_2⁺ The next oracle, which we will denote by O_2⁺, responds to queries as follows. Upon receiving a challenge HIBE-key-type query and a challenge IBE-key-type query, it responds in the same way as O_1⁺. Upon receiving a ciphertext-type query for I* ∈ Z_n, it chooses t ∈ Z_n randomly and returns the group elements (12) to the attacker. Upon receiving a ciphertext-type query for T* ∈ Z_n, it chooses t₀ ∈ Z_n randomly and returns the group elements (13) to the attacker. It responds to a challenge decryption-key-type query in the same way as O₀.

Oracle O₃ The next oracle, which we will denote by O₃, responds to queries as follows. Upon receiving a challenge HIBE-key-type query and a ciphertext-type query, it responds in the same way as O₂. Upon receiving a challenge IBE-key-type query for I ∈ Z_n, it chooses r″, y‴ ∈ Z_n randomly, and also chooses X₂, Y₂ ∈ G_p₂, X₃, Y₃ ∈ G_p₃ randomly. It returns the group elements (14) to the attacker. It responds to a challenge decryption-key-type query in the same way as O₀.

Oracle O₄ The next oracle, which we will denote by O₄, responds to ciphertext-type queries in the same way as O₀, and responds to a challenge HIBE-key-type query for I ∈ Z_n, by choosing r, y′ ∈ Z_n randomly and returns the group elements (15) to the attacker. Upon receiving a challenge IBE-key-type query for T ∈ Z_n, it chooses r′, y″ ∈ Z_n randomly and returns the group elements (16) to the attacker. It responds to a challenge decryption-key-type query in the same way as O₀.

Oracle O₅ The next oracle, which we will denote by O₅, responds to queries as follows. Upon receiving a challenge decryption-key-type query for I, T ∈ Z_n, it chooses r, y′, r′, y″ ∈ Z_n randomly, and also chooses randomly. It returns the group elements (17) to the attacker. It responds to a ciphertext-type query and a challenge (H)IBE-key-type query in the same way as O₄.

Oracle O₆ The next oracle, which we will denote by O₆, responds to queries as follows. Upon receiving a ciphertext-type query for I* ∈ Z_n, it chooses t ∈ Z_n randomly and returns the group elements (18) to the attacker. Upon receiving a ciphertext-type query for T* ∈ Z_n, it chooses t₀ ∈ Z_n randomly and returns the group elements (19) to the attacker. It responds to a decryption-type query and a challenge (H)IBE-key-type query in the same way as O₅.

Oracle O₇ The last oracle, which we will denote by O₇, responds to ciphertext-type queries in the same way as O₀, and responds to a challenge decryption-key-type query for I, T ∈ Z_n, by choosing r, y′, r′, y″ ∈ Z_n randomly and returns the group elements to the attacker. It responds to a challenge (H)IBE-key-type query in the same way as O₆.

We define the advantage of an attacker in distinguishing between O_i and O_j to be . Here, we assume that interacts with either O_i or O_j, and then outputs a bit 0 or 1 encoding its guess of which oracle it interacted with.

4.4 Indistinguishability of G_C′ and G_SF″

4.4.1 Strategy for the indistinguishability of G_C′ and G_SF″.

For the proof of the indistinguishability of G_C′ and G_SF′, we cannot use the simple nested dual system in U-HIBE [11] that change a normal private key(or normal update key) to an ephemeral semi-fuctional private key(or semi-functional update key) one by one since the adversary of RHIBE can query a private key for ID|_k ∈ Prefix(ID*|_l) and an update key for T*.

To solve this problem, we firstly use a modular design strategy like [13] and construct the private keys and update keys from smaller component keys. A secret key SK_{ID|_k} consists of many HIBE private keys which are represented as {SK_{HIBE,S_θ}}_{S_θ∈Path} and an update key UK_{ID|_k−1,T,R} consists a randomized decryption key RSK_HIBE and many IBE private keys {SK_{IBE,S_i}}_{S_i∈CV_R} where each HIBE private key (or an IBE private key) is associated with a node S_j in BT_{ID|_k−1}. The HIBE and IBE private keys can be grouped together if they are related to the same node S_j in BT_{ID|_k−1} and a correct decryption key is constructed form the grouped (H)IBE private key.

To uniquely identify a node S_j ∈ BT_{ID|_k−1}, we define a node identifier NID of this node as a string ID|_k−1||L_j where L_j = Label(v_j). To prove the indistinguishability of G_C′ and G_SF″, we change normal HIBE private keys and normal IBE private keys that are related to the same node identifier NID into (ephemeral) semi-functional keys by defining additional hybrid games. This additional hybrid games are performed for all node identifiers that are used in the key queries of the adversary.

Secondly, we give the equivalent model in which the challenger answers the secret(update, and decryption) key queries of the adversery by requesting the associated (H)IBE private keys from an oracle simulator , shown in Fig 1. When the adversary queries for the secret key, update key or decryption key for some identity and some time period, B constructs the key by the (H)IBE-challenge-key or decryption-challenge-key it queries from the oracle simulator . adaptively answers the corresponding group elements which it constructs by using the public paremeters given by some complexity assumption. Therefore, under the complexity assumptions, the oracle O_i that chooses to answer is indistinguishable and consequently the adversary cannot distinguish whether is playing the real RHIBE game or other variation games based on all the answers recieves after the adaptive queries to .

Download:

Fig 1. The query process in the proof of the indistinguishability of G_C′ and G_SF′.

*The group elements that the oracle simulator gives to the challenger are not only the public parameters PP_HIBE and PP_IBE, but also the group elements for constructing the (ephemeral) semi-functional keys and ciphertexts and the public elements given by the assumptions.

https://doi.org/10.1371/journal.pone.0195204.g001

For additional hybrid games that change HIBE private keys (or IBE private keys) that are related to the same node identifier NID = ID|_k−1||L_j from normal keys to semi-functional keys, we need to define an index pair (i_n, i_c) for an HIBE private key (or an IBE private key) that is related to the node v_j ∈ BT_{ID|_k−1} where i_n is a node index and i_c is a counter index. Suppose that an HIBE private key (or an IBE private key) is related to a node NID. The node index i_n for the HIBE private key (or the IBE private key) is assigned as follows: If the node v_j ∈ BT_{ID|_k−1} with a node identifier NID appears first time in key queries, then we set in as the number of distinct node identifiers in previous key queries plus one. If the node identifier NID already appeared before in key queries, then we set i_n as the value of previous HIBE private key (or IBE private key) with the same node identifier. The counter index i_c of an HIBE private key is assigned as follows: If the node identifier NID appears first time in HIBE private key queries, then we set i_c as one. If the node identifier NID appeared before in HIBE private key queries, then we set i_c as the number of HIBE private keys with the same node identifier that appeared before plus one. Similarly, we assigns the counter index i_c of an IBE private key.

Thirdly, we divide the behavior of an adversary as two types: Type-1 and Type-2. We next show that the semi-functional key invariance property holds for two types of the adversary. Let be the challenge hierarchical identity and T* be the challenge time. For a challenge node v with the node index h in the hybrid games from Game_C and Game_SF, the adversary types are formally defined as follows:

Type-1: An adversary is Type-1 if it queries on a hierarchical identity for all HIBE private keys with the node index h, and it queries on time T = T* for at least one IBE private key with the node index h.
Type-2: An adversary is Type-2 if it queries on time T ∉ T* for all IBE private keys with the node index h. Note that it may query on a hierarchical identity ID|_k ∈ Prefix(ID*|_l) for at least one HIBE private key with h, or it may query on a hierarchical identity for all HIBE private keys with h.

We prove our dual system encryption RHIBE scheme via a hybrid argument over the sequence of games in Table 3. For the different type of adversary, the squence of games is basicly the same except that:

For the Type-1 adversary, we prove the indistinguishability of G_C′ and G_ESF′ by the transition from G_C′ to G_EK−S, and to G_ESF′ without the attacker’s advantage changing by a non-negligible amount.
For the Type-2 adversary, we prove the indistinguishability of G_C′ and G_ESF′ by the transition from G_C′ to G_EK−U, and to G_ESF′ without the attacker’s advantage changing by a non-negligible amount.

Theorem 2 Under Assumptions 3 and 4, our dual system encryption RHIBE scheme has the equation (20)

We will prove these indistinguishabilities between games G_C′, G_E−S (or G_E−U), G_E−S′ (or G_E−U′), G_ESF′, and G_SF″ by going through several intermediary oracles. The main properties of our oracles are summarized in Tables 4 and 5 for the Type-1 adversary and Table 6 for the Type-2 adversary respectively. We intend these tables to be used only as a quick reference guide, not as a definition. We give a complete proof for the Type-1 adversary, and a brief explanation of the proof for the Type-2 adversary is demonstrated then.

Download:

Table 4. Simulation of challenge keys and cipertext in oracles for the proof of the indistinguishability between G_C′ and G_SF″ under Type-1 adversary.

https://doi.org/10.1371/journal.pone.0195204.t004

Download:

Table 5. Defination of games between G_ESF′ and G_SF″.

https://doi.org/10.1371/journal.pone.0195204.t005

Download:

Table 6. Simulation of challenge keys and cipertext in oracles under Type-2 adversary for the proof of the indistinguishability between G_C′ and G_SF″.

https://doi.org/10.1371/journal.pone.0195204.t006

4.4.2 Type-1 adversary.

As defined before, the Type-1 adversary is restricted to queries on a hierarchical identity . By quering for all HIBE private keys with any node index h where the node is on the path from the root to the leaf node v_{ID|_k} in the tree BT_{ID|_k−1}, the adversary derives the secret key of ID|_k.

So we could show an information theoretic argument for the HIBE private keys from normal to ephemeral semi-functional HIBE keys, then to semi-functional HIBE keys. At the meanwhile, by adaptively transforming the types of IBE private keys sooner or later than the transformation of HIBE private keys, we avoid a potential paradox for the update keys.

From the flollowing Lemma 1, to Lemma 20, we obtain the advantage of Type-1 adversary to distinguish between G_C′ and G_SF″ under Type-1 adversary as (21) We give the proof of those lemmas in Appendix.B.

(1) Indistinguishability of G_C′ and G_E−S

For the security proof of the indistinguishability of G_C′ and G_E−S, we define a sequence of additional hybrid games G_C′,1, …, G_C′,h, …, G_{C′,q_n}, where G_C′ = G_C′,0 and q_n is the number of all node identifiers that are used in HIBE private keys and IBE private keys of an adversary. In the game G_C′,h for 1 ≤ h ≤ q_n, the challenge ciphertext is semi-functional, all IBE private keys are normal, HIBE private keys with a node index i_n ≤ h are of ESF-2, the remaining HIBE private keys with a node index i_n > h are normal.

Oracle O_1/2 This oracle initializes in the same way as O₀, O₁ and provides the attacker with initial group elements from the same distribution. Upon receiving a challenge HIBE-key-type query for I ∈ Z_n, it chooses r′, y′ ∈ Z_n randomly, and also chooses X₃, Y₃ ∈ G_p₃ randomly. It returns the group elements (22) to the attacker. It responds to a ciphertext-type query or a challenge IBE-key-type query in the same way as O₀.

We define hybrid games H_1,1, H_1,2, ⋯, H_{h_c,1}, H_{h_c,2}, …, H_{q_s,1}, H_{q_s,2} where H_0,2 = G_C′,h and H_{q_s,2} = G_C′,h+1, and q_s is the maximun number of HIBE private key queries for the node index h. The games are formally defined as follows:

Game H_{h_c,1} This game H_{h_c,1} for 1 ≤ h_c ≤ q_s is almost the same as G_2,h−1 except the generation of HIBE private keys and IBE private keys with the node θ_h of the index h. An IBE private key with an index pair (h, i_c) is generated as normal. An HIBE private key with an index pair (h, i_c) is generated as follows:

i_c < h_c: It generates a ESF-2 SK_{HIBE,θ_h}.
i_c = h_c: It generates a ESF-1 SK_{HIBE,θ_h} by using the element groups in Eq 22.
i_c > h_c: It simply generates a normal HIBE private key.

Game H_{h_c,2} This game H_{h_c,1} for 1 ≤ h_c ≤ q_s is almost the same as H_{h_c,1} except the generation of HIBE private key with an index pair (h, i_c) and i_c = h_c is generated as a ESF-2 SK_{HIBE,θ_h} by using the element groups in Eq 8.

Lemma 1 Under Assumptions 3, no PPT attacker can distinguish between O₀ and O_1/2 with non-negligible advantage. So no PPT attacker can distinguish between H_{h_c−1,2} and H_{h_c,1} with non-negligible advantage.

Lemma 2 Under Assumptions 4, no PPT attacker can distinguish between O_1/2 and O₁ with non-negligible advantage. So no PPT attacker can distinguish between H_{h_c,1} and H_{h_c,2} with non-negligible advantage.

Let be the advantage of in a game G_C′,h. From the Lemma 1, 2, we obtain the following equation

So we obtain the following equation (23)

(2) Indistinguishability of G_E−S and G_E−S′

We now prove the indistinguishability of G_E−S and G_E−S′ in a hybrid argument using polynomially many steps. We let q_c denote the number of ciphertext-type queries made by a PPT attacker . Firstly we define hybrid games S_−1,1, S_0,2, S_0,3, S_0,1, S_1,2, S_1,3, S_1,1⋯, S_k,2, S_k,3, S_k,1, …, S_{q_c−1,2}, S_{q_c−1,3}, S_{q_c−1,1}, where S_−1,1 = G_E−S and S_{q_c−1,1} = G_E−S′. The games are formally defined as follows:

Game S_k,1 This game S_k,1 for 0 ≤ k ≤ q_c is almost the same as G_E−S except the generation of the challenge ciphertext. The challenge ciphertext of is generated as EST-2^k-CT outputed by EncryptESF-2^k defined in AppendixA.

Game S_k,2 This game S_k,2 for 0 ≤ k ≤ q_c − 1 is almost the same as G_E−S except the generation of the challenge ciphertext. The challenge ciphertext of is generated as EST-3^k-CT outputed by EncryptESF-3^k defined in AppendixA.

Game S_k,3 This game S_k,3 for 0 ≤ k ≤ q_c − 1 is almost the same as G_E−S except the generation of the challenge ciphertext. The challenge ciphertext of is generated as EST-4^k-CT outputed by EncryptESF-4^k defined in AppendixA.

We will define additional oracles for each i from 0 to q_c − 1, for each i from 0 to q_c − 1, and for each i from 0 to q_c − 1, to sample various distributions of group elements used for constructing the various types of ciphertexts in Game S_k,1, Game S_k,2 and Game S_k,3.

Oracle This oracle initializes in the same way as O₁, O₂ and provides the attacker with initial group elements from the same distribution. It also responds to challenge key-type queries in the same way as O₁, O₂. It keeps a counter of ciphertext-type queries which is initially equal to zero. It increments this counter after each response to a ciphertext-type query. In response to the jth ciphertext-type query for some , if j ≤ i, it responds exactly like O₂. If j > i, it responds exactly like O₁. In particular, is identical to O₁ and is identical to O₂.

Oracle This oracle acts the same as except in its response to the i^th ciphertext-type query. For the i^th ciphertext-type query for identity I*, it chooses a random t ∈ Z_N and random elements X₃, Y₃ ∈ G_p₃ and responds with: (24) If i = 0, the i^th ciphertext-type query is for time T*. It chooses a random t₀ ∈ Z_N and random elements and responds with: (25)

Oracle This oracle acts the same as except in its response to the i^th ciphertext-type query. For the i^th ciphertext-type query for identity I*, it chooses a random t ∈ Z_N and random elements X₃, Y₃ ∈ G_p₃ and responds with: (26) If i = 0, the i^th ciphertext-type query is for time T*. It chooses a random t₀ ∈ Z_N and random elements and responds with: (27)

Lemma 3 Under Assumptions 3, no PPT attacker can distinguish between and with non-negligible advantage. So no PPT attacker can distinguish between S_k−1,1 and S_k,2 with non-negligible advantage.

Lemma 4 Under Assumptions 4, no PPT attacker can distinguish between and with non-negligible advantage. So no PPT attacker can distinguish between S_k,2 and S_k,3 with non-negligible advantage.

Lemma 5 Under Assumptions 3, no PPT attacker can distinguish between and with non-negligible advantage. So no PPT attacker can distinguish between S_k,3 and S_k,1 with non-negligible advantage.

Let , and be the advantage of in the games S_k,1, S_k,2 and S_k,3. From the Lemma 3, 4, 5, we obtain the following equation (28)

(3) Indistinguishability of G_E−S′ and G_ESF′

For the security proof of the indistinguishability of G_E−S′ and G_ESF′, we define a sequence of additional hybrid games G_S′,1, …, G_S′,h, …, G_{S′,q_n}, where G_E−S′ = G_S′,0 and q_n is the number of all node identifiers that are used in HIBE private keys and IBE private keys of an adversary. In the game G_S′,h for 1 ≤ h ≤ q_n, the challenge ciphertext is semi-functional, all IBE private keys are ESF-2, IBE private keys with a node index i_n ≤ h are of ESF-2, the remaining HIBE private keys with a node index i_n > h are normal.

Oracle O_5/2 This oracle initializes in the same way as O₂, O₃ and provides the attacker with initial group elements from the same distribution. Upon receiving a challenge IBE-key-type query for T ∈ Z_n, it chooses r′, y′ ∈ Z_n randomly, and also chooses X₃, Y₃ ∈ G_p₃ randomly. It returns the group elements (29) to the attacker. It responds to a ciphertext-type query or a challenge HIBE-key-type query in the same way as O₂.

We define hybrid games E_1,1, E_1,2, ⋯, E_{h_c,1}, H_{h_c,2}, …, E_{q_s,1}, E_{q_s,2} where E_0,2 = G_S′,h and E_{q_e,2} = G_S′,h+1, and q_e is the maximun number of IBE private key queries for the node index h. The games are formally defined as follows:

Game E_{h_c,1} This game E_{h_c,1} for 1 ≤ h_c ≤ q_e is almost the same as G_S′,h except the generation of HIBE private keys and IBE private keys with the node index h. An HIBE private key with an index pair (h, i_c) is generated as ESF-2. An IBE private key with an index pair (h, i_c) is generated as follows:

i_c < h_c: It generates a normal and converts the key to a ESF-2 SK_IBE,h.
i_c = h_c: It generates a normal and converts the key to a ESF-1 SK_IBE,h by using the element groups in Eq 29.
i_c > h_c: It simply generates a normal IBE private key.

Game E_{h_c,2} This game E_{h_c,2} for 1 ≤ h_c ≤ q_e is almost the same as E_{h_c,1} except the generation of IBE private key with an index pair (h, i_c) and i_c = h_c is generated as a ESF-2 SK_IBE,h by using the element groups in Eq 14.

Lemma 6 Under Assumptions 3, no PPT attacker can distinguish between O₂ and O_5/2 with non-negligible advantage. So no PPT attacker can distinguish between E_{h_c−1,2} and E_{h_c,1} with non-negligible advantage.

Lemma 7 Under Assumptions 4, no PPT attacker can distinguish between O_5/2 and O₃ with non-negligible advantage. So no PPT attacker can distinguish between E_{h_c,1} and E_{h_c,2} with non-negligible advantage.

Let be the advantage of in a game G_E′,h. From the Lemma 6, 7, we obtain the following equation

So we obtain the following equation (30)

(4) Indistinguishability of G_ESF′ and G_SF″

For the security proof of the indistinguishability of G_ESF′ and G_SF″, we define a sequence of games G_ESF′−1, ⋯, G_ESF′−5 to change the type of secret keys and update keys from ESF-2 to ESF-4 and the type of ciphertexts from ESF-1 to ESF-5 and G_ESF′−6, ⋯, G_ESF′−8 to change the type of update keys to semi-functional and the type of ciphertexts back to semi-functional. In Table 5, we give the types of key in the queries and the challenge cipertext in every game, and the decryption situation according to the types of keys and ciphertexts.

G_ESF′−1: The secret keys are changed to ESF-3. The update keys are still ESF-2. The challenge ciphertext is still ESF-1. The decryption keys are still normal.

G_ESF′−2: The update keys are changed to ESF-3. The secret keys are ESF-3. The challenge ciphertext is still ESF-1. The decryption keys are still normal.

G_ESF′−3: The challenge ciphertext is changed to ESF-5. The secret keys and the update keys are still ESF-3. The decryption keys are still normal.

G_ESF′−4: The secret keys are changed to ESF-4. The update keys are still ESF-3. The challenge ciphertext is ESF-5. The decryption keys are still normal.

G_ESF′−5: The update keys are changed to ESF-4. The secret keys are ESF-4. The challenge ciphertext is ESF-5. The decryption keys are still normal.

G_ESF′−6: The challenge ciphertext is changed to ESF-1. The secret keys and the update keys are ESF-4. The decryption keys are still normal.

G_ESF′−7: The update keys are changed to semi-functional update keys. The secret keys are ESF-4. The challenge ciphertext is ESF-1. The decryption keys are still normal.

G_ESF′−8: The challenge ciphertext is changed to semi-functional. The secret keys are ESF-4. The update keys are semi-functional update keys. The decryption keys are still normal.

We firstly prove the indistinguishabilities between G_ESF′ to G_ESF′−1, G_ESF′−1 to G_ESF′−8. And then we prove the indistinguishability of G_ESF′−8 and G_SF″.

Indistinguishability of G_ESF′ and G_ESF′−1. For the security proof of the indistinguishability of G_ESF′ and G_ESF′−1, we define a sequence of games additional hybrid games G_F′,1, …, G_F′,h, …, G_{F′,q_n}, where G_ESF′ = G_F′,0 and q_n is the number of all node identifiers that are used in HIBE private keys and IBE private keys of an adversary. In the game G_F′,h for 1 ≤ h ≤ q_n, the challenge ciphertext is ESF-1, all IBE private keys are ESF-2, HIBE private keys with a node index i_n ≤ h are of ESF-3, the remaining HIBE private keys with a node index i_n > h are ESF-2.

Oracle O_3.1 This oracle initializes in the same way as O₃ and provides the attacker with initial group elements from the same distribution. Upon receiving a challenge HIBE-key-type query for I ∈ Z_n, it chooses r, y′ ∈ Z_n randomly, and also chooses X₂, Y₂ ∈ G_p₂ and X₃, Y₃ ∈ G_p₃ randomly. It returns the group elements (31) to the attacker. It responds to a ciphertext-type query or a challenge IBE-key-type query in the same way as O₃.

We define games F₁, ⋯, F_{h_c}, …, F_{q_s} where F₀ = G_S′,h and F_{q_s} = G_S′,h+1, and q_s is the maximun number of HIBE private key queries for the node index h. The games are formally defined as follows:

Game F_{h_c} This game F_{h_c} for 1 ≤ h_c ≤ q_s is almost the same as G_F′,h except the generation of HIBE private keys and IBE private keys with the node index h. An IBE private key with an index pair (h, i_c) is generated as ESF-2. An HIBE private key with an index pair (h, i_c) is generated as follows:

i_c ≤ h_c: It generates a ESF-3 SK_HIBE,h by using the element groups in Eq 31.
i_c > h_c: It simply generates a ESF-2 HIBE private key.

Lemma 8 Under Assumptions 3, no PPT attacker can distinguish between O₃ and O_3.1 with non-negligible advantage. So no PPT attacker can distinguish between F_{h_c−1} and F_{h_c} with non-negligible advantage.

Let be the advantage of in a game G_F′,h. From the Lemma 8, we obtain the following equation (32)

Indistinguishability of G_ESF′−1 and G_ESF′−2. For the security proof of the indistinguishability of G_ESF′−1 and G_ESF′−2, we define a sequence of games G_F′−1,1, …, G_F′−1,h, …, G_{F′−1,q_n}, where G_ESF′−1 = G_F′−1,0 and q_n is the number of all node identifiers that are used in HIBE private keys and IBE private keys of an adversary. In the game G_F′−1,h for 1 ≤ h ≤ q_n, the challenge ciphertext is ESF-1, all HIBE private keys are ESF-3, IBE private keys with a node index i_n ≤ h are of ESF-3, the remaining HIBE private keys with a node index i_n > h are ESF-2.

Oracle O_3.2 This oracle initializes in the same way as O_3.1 and provides the attacker with initial group elements from the same distribution. Upon receiving a challenge IBE-key-type query for T ∈ Z_n, it chooses r, y′ ∈ Z_n randomly, and also chooses X₂, Y₂ ∈ G_p₂ and X₃, Y₃ ∈ G_p₃ randomly. It returns the group elements (33) to the attacker. It responds to a ciphertext-type query or a challenge HIBE-key-type query in the same way as O_3.1.

We define hybrid games F1₁, ⋯, F1_{h_c}, …, F1_{q_e} where F1₀ = G_F′−1,h and F1_{q_e} = G_F′−1,h+1, and q_e is the maximun number of IBE private key queries for the node index h. The games are formally defined as follows:

Game F1_{h_c} This game F1_{h_c} for 1 ≤ h_c ≤ q_s is almost the same as G_F′−1,h except the generation of HIBE private keys and IBE private keys with the node index h. A HIBE private key with an index pair (h, i_c) is generated as ESF-3. An IBE private key with an index pair (h, i_c) is generated as follows:

i_c ≤ h_c: It generates a ESF-3 SK_{IBE,h_c}.
i_c > h_c: It simply generates a ESF-2 IBE private key.

Lemma 9 Under Assumptions 3, no PPT attacker can distinguish between O_3.1 and O_3.2 with non-negligible advantage. So no PPT attacker can distinguish between F1_{h_c−1} and F1_{h_c} with non-negligible advantage.

Let be the advantage of in a game G_F′−1,h. From the Lemma 9, we obtain the following equation (34)

Indistinguishability of G_ESF′−2 and G_ESF′−3. For the security proof of the indistinguishability of G_ESF′−2 and G_ESF′−3, we define the oracle below.

Oracle O_3.3 This oracle initializes a bit differently from the other oracles. It fixes random elements g, u, h, v, w, u₀, h₀, v₀, w₀ ∈ G_p₁, g₂ ∈ G_p₂, g₃ ∈ G_p₃. It chooses random exponents . It initially provides the attacker with the group elements: (35) What differs from the previous oracles here is the added and term: notice that this is uniformly random in G_p₃, since γ is random modulo p₃ (and uncorrelated from its value modulo p₂). This oracle answers the challenge-key type query in the same way as O_3.2. To answer a ciphertext-type query for I, it chooses random values t ∈ Z_N and responds with: (36) To answer a ciphertext-type query for T, it chooses random values t ∈ Z_N and responds with: (37) It is crucial to note that these G_p₃ terms arethe same for each ciphertext-type query response.

Lemma 10 Under Assumptions 4, no PPT attacker can distinguish between O_3.2 and O_3.3 with non-negligible advantage. So no PPT attacker can distinguish between G_ESF′−2 and G_ESF′−3 with non-negligible advantage.

From the Lemma 10, we obtain the following equation (38)

Indistinguishability of G_ESF′−3 and G_ESF′−4: For the security proof of the indistinguishability of G_ESF′−3 and G_ESF′−4, we define a sequence of games additional hybrid games G_F′−3,1, …, G_F′−3,h, …, G_{F′−3,q_n}, where G_ESF′−3 = G_F′−3,0 and q_n is the number of all node identifiers that are used in HIBE private keys and IBE private keys of an adversary. In the game G_F′−3,h for 1 ≤ h ≤ q_n, the challenge ciphertext is ESF-5, all IBE private keys are ESF-3, HIBE private keys with a node index i_n ≤ h are of ESF-4, the remaining HIBE private keys with a node index i_n > h are ESF-3.

Oracle O_3.4 This oracle initializes in the same way with O_3.3 and provides the attacker the same initial elements as O_3.3. This oracle answers the ciphertext-type query and IBE key- type query in the same way as O_3.3. To answer a challenge HIBE private key type query for I, it chooses random values y, r ∈ Z_N, X₂, Y₂ ∈ G_p₂ randomly, and X₃, Y₃ ∈ G_p₃ and responds with: (39)

We define hybrid games F3₁, ⋯, F3_{h_c}, …, F3_{q_s} where F3₀ = G_{F′−3, h} and F3_{q_s} = G_F′−3,h+1, and q_s is the maximun number of HIBE private key queries for the node index h. The games are formally defined as follows:

Game F3_{h_c} This game F3_{h_c} for 1 ≤ h_c ≤ q_s is almost the same as G_F′−3,h except the generation of HIBE private keys and IBE private keys with the node index h. An IBE private key with an index pair (h, i_c) is generated as ESF-3. An HIBE private key with an index pair (h, i_c) is generated as follows:

i_c ≤ h_c: It generates a ESF-4 SK_HIBE,h by using the element groups in Eq 39.
i_c > h_c: It simply generates a ESF-3 HIBE private key.

Lemma 11 Under Assumptions 4, no PPT attacker can distinguish between O_3.3 and O_3.4 with non-negligible advantage. So no PPT attacker can distinguish between G_ESF′−3 and G_ESF′−4 with non-negligible advantage.

Let be the advantage of in a game G_F′−3,h. From the Lemma 11, we obtain the following equation (40)

Indistinguishability of G_ESF′−4 and G_ESF′−5. For the security proof of the indistinguishability of G_ESF′−4 and G_ESF′−5, we define a sequence of games additional hybrid games G_F′−4,1, …, G_F′−4,h, …, G_{F′−4,q_n}, where G_ESF′−4 = G_F′−4,0 and q_n is the number of all node identifiers that are used in HIBE private keys and IBE private keys of an adversary. In the game G_F′−4,h for 1 ≤ h ≤ q_n, the challenge ciphertext is ESF-5, all HIBE private keys are ESF-4, IBE private keys with a node index i_n ≤ h are of ESF-4, the remaining IBE private keys with a node index i_n > h are ESF-3.

Oracle O_3.5 This oracle initializes in the same way with O_3.4 and provides the attacker the same initial elements as O_3.4. This oracle answers the ciphertext-type query and HIBE key- type query in the same way as O_3.4. To answer a challenge IBE private key type query for T, it chooses random values y, r ∈ Z_N, X₂, Y₂ ∈ G_p₂ randomly, and X₃, Y₃ ∈ G_p₃ and responds with: (41)

We define hybrid games F4₁, ⋯, F4_{h_c}, …, F4_{q_s} where F4₀ = G_F′−4,h and F4_{q_e} = G_F′−4,h+1, and q_e is the maximun number of IBE private key queries for the node index h. The games are formally defined as follows:

Game F4_{h_c} This game F4_{h_c} for 1 ≤ h_c ≤ q_e is almost the same as G_F′−4,h except the generation of HIBE private keys and IBE private keys with the node index h. An HIBE private key with an index pair (h, i_c) is generated as ESF-4. An IBE private key with an index pair (h, i_c) is generated as follows:

i_c ≤ h_c: It generates a ESF-4 SK_IBE,h by using the element groups in Eq 41.
i_c > h_c: It simply generates a ESF-3 IBE private key.

Lemma 12 Under Assumptions 4, no PPT attacker can distinguish between O_3.4 and O_3.5 with non-negligible advantage. So no PPT attacker can distinguish between G_ESF′−4 and G_ESF′−5 with non-negligible advantage.

Let be the advantage of in a game G_F′−4,h. From the Lemma 12, we obtain the following equation (42)

Indistinguishability of G_ESF′−5 and G_ESF′−6. For the security proof of the indistinguishability of G_ESF′−5 and G_ESF′−6, we define the oracle below.

Oracle O_3.6 This oracle fixes random elements g, u, h, v, w, u₀, h₀, v₀, w₀ ∈ G_p₁, g₂ ∈ G_p₂, g₃ ∈ G_p₃. It chooses random exponents . It initially provides the attacker with the group elements: (43) What differs from the previous oracles here is the added and term: notice that this is uniformly random in G_p₃, since γ is random modulo p₃ (and uncorrelated from its value modulo p₂). This oracle answers the challenge-key type query in the same way as O_3.2. To answer a ciphertext-type query for I, it chooses random values t ∈ Z_N and responds with: (44) To answer a ciphertext-type query for T, it chooses random values t ∈ Z_N and responds with: (45) It is crucial to note that these G_p₃ terms arethe same for each ciphertext-type query response.

Lemma 13 Under Assumptions 4, no PPT attacker can distinguish between O_3.5 and O_3.6 with non-negligible advantage. So no PPT attacker can distinguish between G_ESF′−5 and G_ESF′−6 with non-negligible advantage.

From the Lemma 13, we obtain the following equation (46)

Indistinguishability of G_ESF′−6 and G_ESF′−7. For the security proof of the indistinguishability of G_ESF′−6 and G_ESF′−7, we define a sequence of games G_F′−6,1, …, G_F′−6,h, …, G_{F′−6,q_n}, where G_ESF′−6 = G_F′−6,0 and q_n is the number of all node identifiers that are used in HIBE private keys and IBE private keys of an adversary. In the game G_F′−6,h for 1 ≤ h ≤ q_n, the challenge ciphertext is ESF-1, all HIBE private keys are ESF-4, IBE private keys with a node index i_n ≤ h are semi-functional, the remaining IBE private keys with a node index i_n > h are ESF-4.

Oracle O_7/2′ This oracle initializes in the same way as O_3.6 and provides the attacker with initial group elements from the same distribution. Upon receiving a challenge IBE-key-type query for T ∈ Z_n, it chooses r, y′ ∈ Z_n randomly, and also chooses X₂, Y₂ ∈ G_p₂ and X₃, Y₃ ∈ G_p₃ randomly. It returns the group elements (47) to the attacker. It responds to a ciphertext-type query or a challenge HIBE-key-type query in the same way as O_3.6.

We define hybrid games F6_1,1, F6_1,2, ⋯, F6_{h_c,1}, F6_{h_c,2}, …, F6_{q_s,1}, F6_{q_s,2} where F6_0,2 = G_F′−6,h and F6_{q_e,2} = G_F′−6,h+1, and q_e is the maximun number of IBE private key queries for the node index h. The games are formally defined as follows:

Game F6_{h_c,1} This game F6_{h_c,1} for 1 ≤ h_c ≤ q_e is almost the same as G_F′−6,h except the generation of HIBE private keys and IBE private keys with the node index h. An HIBE private key with an index pair (h, i_c) is generated as ESF-4. An IBE private key with an index pair (h, i_c) is generated as follows:

i_c < h_c: It generates a semi-functional key SK_IBE,h.
i_c = h_c: It generates a normal and converts the key to a ESF-5 SK_IBE,h by using the element groups in Eq 47.
i_c > h_c: It generates a ESF-4 IBE private key.

Game F6_{h_c,2} This game F6h_c, 2 for 1 ≤ h_c ≤ q_e is almost the same as F6_{h_c,1} except the generation of IBE private key with an index pair (h, i_c) and i_c = h_c is generated as a semi-functional SK_IBE,h.

Lemma 14 Under Assumptions 4, no PPT attacker can distinguish between O_3.6 and O_7/2′ with non-negligible advantage. So no PPT attacker can distinguish between F6_i−1,2 and F6_i,1 with non-negligible advantage.

Oracle This oracle initializes in the same way as , and provides the attacker with initial group elements from the same distribution. It also responds to a ciphertext-type query as same as . It responds to a HIBE-key-type query in the same way as O_3.6. Upon receiving a challenge IBE-key-type query for T ∈ Z_n, it chooses r, y′ ∈ Z_n randomly, and returns the group elements (48) to the attacker.

Lemma 15 Under Assumptions 3, no PPT attacker can distinguish between O_7/2′ and with non-negligible advantage. So no PPT attacker can distinguish between F6_i,1 and F6_i,2 with non-negligible advantage.

Let be the advantage of in a game G_E′,h. From the Lemma 14, 15, we obtain the following equation

So we obtain the following equation (49)

Indistinguishability of G_ESF′−7 and G_ESF′−8. We now prove the indistinguishability of G_ESF′−7 and G_ESF′−8 in a hybrid argument using polynomially many steps. We let q_c denote the number of ciphertext-type queries made by a PPT attacker . Firstly we define hybrid games , , , where and . The games are formally defined as follows:

Game This game for 0 ≤ k ≤ q_c is almost the same as G_ESF′−7 except the generation of the challenge ciphertext. The challenge ciphertext of is generated as EST-2^k-CT outputed by EncryptESF-2^k.

Game This game for 0 ≤ k ≤ q_c − 1 is almost the same as G_ESF′−7 except the generation of the challenge ciphertext. The challenge ciphertext of is generated as EST-3^k-CT outputed by EncryptESF-3^k.

Game This game for 0 ≤ k ≤ q_c − 1 is almost the same as G_ESF′−7 except the generation of the challenge ciphertext. The challenge ciphertext of is generated as EST-4^k-CT outputed by EncryptESF-4^k.

We will define additional oracles for each i from 0 to q_c − 1, for each i from 0 to q_c − 1, and for each i from 0 to q_c − 1.

Oracle This oracle acts the same as except that its response to the ciphertext-type query is as same as .

Lemma 16 Under Assumptions 3, no PPT attacker can distinguish between and with non-negligible advantage. So no PPT attacker can distinguish between and with non-negligible advantage.

Lemma 17 Under Assumptions 4, no PPT attacker can distinguish between and with non-negligible advantage. So no PPT attacker can distinguish between and with non-negligible advantage.

Lemma 18 Under Assumptions 3, no PPT attacker can distinguish between and with non-negligible advantage. So no PPT attacker can distinguish between and with non-negligible advantage.

Let , and be the advantage of in the games , and . From the Lemma 16, 17, 18, we obtain the following equation (50)

Indistinguishability of G_ESF′−8 and G_SF″. For the security proof of the indistinguishability of G_ESF′−8 and G_SF″, we define a sequence of games G_F′−8,1, …, G_F′−8,h, …, G_{F′−8,q_n}, where G_ESF′−8 = G_F′−8,0 and q_n is the number of all node identifiers that are used in HIBE private keys and IBE private keys of an adversary. In the game G_F′−8,h for 1 ≤ h ≤ q_n, the challenge ciphertext is semi-functional, all IBE private keys are semi-functional, HIBE private keys with a node index i_n ≤ h are semi-functional, the remaining HIBE private keys with a node index i_n > h are ESF-4.

Oracle O_7/2 This oracle initializes in the same way as and provides the attacker with initial group elements from the same distribution. Upon receiving a challenge HIBE-key-type query for I ∈ Z_n, it chooses r, y′ ∈ Z_n randomly, and also chooses X₂, Y₂ ∈ G_p₂ and X₃, Y₃ ∈ G_p₃ randomly. It returns the group elements (51) to the attacker. It responds to a ciphertext-type query or a challenge IBE-key-type query in the same way as .

We define hybrid games I_1,1, I_1,2, ⋯, I_{h_c,1}, I_{h_c,2}, …, I_{q_s,1}, I_{q_s,2} where I_0,2 = G_F′−8,h and I_{q_s,2} = G_F′−8,h+1, and q_s is the maximun number of HIBE private key queries for the node index h. The games are formally defined as follows:

Game I_{h_c,1} This game I_{h_c,1} for 1 ≤ h_c ≤ q_s is almost the same as G_F′−8,h except the generation of HIBE private keys and IBE private keys with the node index h. An IBE private key with an index pair (h, i_c) is generated as a semi-functional key. An HIBE private key with an index pair (h, i_c) is generated as follows:

i_c < h_c: It generates a semi-functional SK_HIBE,h.
i_c = h_c: It generates a ESF-5 SK_HIBE,h.
i_c > h_c: It generates a ESF-4 SK_HIBE,h.

Game H_{h_c,2} This game H_{h_c,1} for 1 ≤ h_c ≤ q_s is almost the same as H_{h_c,1} except the generation of HIBE private key with an index pair (h, i_c) and i_c = h_c is generated as a semi-functional SK_HIBE,h.

Lemma 19 Under Assumptions 4, no PPT attacker can distinguish between and O_7/2 with non-negligible advantage. So no PPT attacker can distinguish between I_{h_c−1,2} and I_{h_c,1} with non-negligible advantage.

Lemma 20 Under Assumptions 3, no PPT attacker can distinguish between O_7/2 and O₄ with non-negligible advantage. So no PPT attacker can distinguish between I_{h_c,1} and I_{h_c,2} with non-negligible advantage.

Let be the advantage of in a game G_E′,h. From the Lemma 19, 20, we obtain the following equations and (52)

So we obtain the following equation (53)

According to the equations Eqs 23, 28, 30, 53, we obtain the following equation (54)

4.4.3 Type-2 adversary.

The Type-2 adversary is restricted to queries on the update keys on the time T ∉ T*. So we could show an information theoretic argument for the update keys and avoid a potential paradox for the secret keys, in the similar way of the situation of the Type-1 adversary in Sec.4.4.2.

The proof strategy for the indistinguishabilities between games G_C′ to G_EK−U, and to G_ESF′ under the Type-2 adversary is by going through several intermediary oracles in Table 6, where the type settings of the update keys and the secret keys in every oracle and game respectively are swaped compared to the setting in Sec.4.4.2. The proof of every respective lemma is similar to the proof for the Type-1 adversary, and finally we obtain the advantage between G_C′ and G_ESF′ under the Type-2 adversary as same in Eq 54.

4.5 Indistinguishability of G_SF″ and G_SF′

In the game G_SF″, the type of ciphertexts, secret keys and update keys are all semi-functional, except the decryption keys are normal. In this section, we give the proof of the indistinguishability of G_SF″ and G_SF′ via a hybrid argument over the sequence of games G_SF″, G_E−D, G_ESF and G_SF′ to transform the type of decryption keys from normal to ephemeral semi-functional, and then to semi-functional.

The hybrid argument we conduct for the indistinguishability of G_SF″ and G_SF′ is following the process similar to the argument for the indistinguishability of G_C′ and G_SF″. But it is simpler since the transformation of challenge type only happens to the decryption keys and the challenge ciphertexts. So we just treat the decryption keys as a secret key of the identity (T, id₁, ⋯, id_j) and follow the proof strategy in the nested dual system encryption of the unbounded HIBE [12].

We show the oracles for proving the the indistinguishability of G_SF″ and G_SF′ in Table 7 which answer queries from the challenger by sampling various distributions of group elements to construct the decryption keys, challenge ciphertexts and also the secret keys and update keys.

Download:

Table 7. Simulation of challenge keys and cipertext in oracles for the proof of the indistinguishability between G_SF″ and G_SF′.

https://doi.org/10.1371/journal.pone.0195204.t007

Since these oracles initially provide the attacker with a description of the group G, as well as the group elements

So the simulation of semi-functional secret keys and update keys are achievable in all oracles and games.

(1) Indistinguishability of G_SF″ and G_E−D

For the security proof of the indistinguishability of G_SF″ and G_E−D, we define a sequence of additional hybrid games J_1,1, J_1,2, ⋯, J_{h_d,1}, J_{h_d,2}, …, J_{q_d,1}, J_{q_d,2} where J_0,2 = G_SF″ and J_{q_d,2} = G_E−D, and q_d is the number of decryption key queries of an adversary. The games and a additional oracle O_9/2 used in the proof are formally defined as follows:

Oracle O_9/2 This oracle initializes in the same way as O₄, O₅ and provides the attacker with initial group elements from the same distribution. Upon receiving a challenge decryption-key-type query for I, T ∈ Z_n, it chooses r, y′, r′, y″ ∈ Z_n randomly, and also chooses randomly. It returns the group elements (55) to the attacker. It responds to a ciphertext-type query and a challenge (H)IBE-key-type query in the same way as O₄.

Game J_{h_d,1} This game J_{h_d,1} for 1 ≤ h_d ≤ q_d is almost the same as G_EF″ except the generation of the decryption keys DK_{ID|_k,T}.

i_d < h_d: It generates a normal and converts the key to a ESF-2 DK_{ID|_k,T} by using the element groups in Eq 17.
i_d = h_d: It generates a normal and converts the key to a ESF-1 DK_{ID|_k,T} by using the element groups in Eq 55.
i_d > h_d: It simply generates a normal decryption key.

Game J_{h_d,2} This game J_{h_d,1} for 1 ≤ h_d ≤ q_d is almost the same as J_{h_d,1} except the generation of the decryption key is generated as a ESF-2 DK_{ID|_k, T} by using the element groups in Eq 17. The first h_d decryption keys are generated as ESF-2 and the remaining decryption keys are generated as normal.

Lemma 21 Under Assumptions 3, no PPT attacker can distinguish between O₄ and O_9/2 with non-negligible advantage. So no PPT attacker can distinguish between J_{h_d−1,2} and J_{h_d,1} with non-negligible advantage.

Lemma 22 Under Assumptions 4, no PPT attacker can distinguish between O_9/2 and O₅ with non-negligible advantage. So no PPT attacker can distinguish between J_{h_d,1} and J_{h_d,2} with non-negligible advantage.

From the Lemma 21, 22, we obtain the following equation (56)

(2) Indistinguishability of G_E−D and G_ESF

We now prove the indistinguishability of G_E−D and G_ESF in a hybrid argument using polynomially many steps. We let q_c denote the number of ciphertext-type queries made by a PPT attacker . Firstly we define hybrid games L_−1,1, L_0,2, L_0,3, L_0,1, L_1,2, L_1,3, L_1,1⋯, L_k,2, L_k,3, L_k,1, …, L_{q_c−1,2}, L_{q_c−1,3}, L_{q_c−1,1}, where L_−1,1 = G_E−D and L_{q_c−1,1} = G_ESF. The games are formally defined as follows:

Game L_k,1 This game L_k,1 for 0 ≤ k ≤ q_c is almost the same as G_E−D except the generation of the challenge ciphertext. The challenge ciphertext of is generated as EST-2^k-CT outputed by EncryptESF-2^k.

Game L_k,2 This game L_k,2 for 0 ≤ k ≤ q_c − 1 is almost the same as G_E−D except the generation of the challenge ciphertext. The challenge ciphertext of is generated as EST-3^k-CT outputed by EncryptESF-3^k.

Game L_k,3 This game L_k,3 for 0 ≤ k ≤ q_c − 1 is almost the same as G_E−D except the generation of the challenge ciphertext. The challenge ciphertext of is generated as EST-4^k-CT outputed by EncryptESF-4^k.

We will define additional oracles for each i from 0 to q_c − 1, for each i from 0 to q_c − 1, and for each i from 0 to q_c − 1.

Oracle This oracle initializes in the same way as O₅, O₆ and provides the attacker with initial group elements from the same distribution. It also responds to challenge key-type queries in the same way as O₅, O₆. It keeps a counter of ciphertext-type queries which is initially equal to zero. It increments this counter after each response to a ciphertext-type query. In response to the j^th ciphertext-type query for some , if j ≤ i, it responds exactly like O₆. If j > i, it responds exactly like O₅. In particular, is identical to O₅ and is identical to O₆.

Oracle This oracle acts the same as except in its response to the i^th ciphertext-type query. For the i^th ciphertext-type query for identity I*, it chooses a random t ∈ Z_N and random elements X₃, Y₃ ∈ G_p₃ and responds with: (57) If i = 0, the i^th ciphertext-type query is for time T*. It chooses a random t₀ ∈ Z_N and random elements and responds with: (58)

Oracle This oracle acts the same as except in its response to the ith ciphertext-type query. For the i^th ciphertext-type query for identity I*, it chooses a random t ∈ Z_N and random elements X₃, Y₃ ∈ G_p₃ and responds with: (59) If i = 0, the i^th ciphertext-type query is for time T*. It chooses a random t₀ ∈ Z_N and random elements and responds with: (60)

Lemma 23 Under Assumptions 3, no PPT attacker can distinguish between and with non-negligible advantage. So no PPT attacker can distinguish between L_k−1,1 and L_k,2 with non-negligible advantage.

Lemma 24 Under Assumptions 4, no PPT attacker can distinguish between and with non-negligible advantage. So no PPT attacker can distinguish between L_k,2 and L_k,3 with non-negligible advantage.

Lemma 25 Under Assumptions 3, no PPT attacker can distinguish between and with non-negligible advantage. So no PPT attacker can distinguish between L_k,3 and L_k,1 with non-negligible advantage.

From the Lemma 23, 24, 25, we obtain the following equation (61)

(3) Indistinguishability of G_ESF and G_SF′

For the security proof of the indistinguishability of G_ESF and G_SF′, we define a sequence of games G_ESF−1, G_ESF−2, G_ESF−3 to change the type of decryption keys from ESF-2 to ESF-4 and the type of ciphertexts from ESF-1 to ESF-5 and G_ESF−4, G_ESF−5, G_ESF−6 to change the type of decryption keys to semi-functional and the type of ciphertexts back to semi-functional. In Table 8, we give the types of key in the queries and the challenge cipertext in every game, and the decryption situation according to the types of keys and ciphertexts.

Download:

Table 8. Defination of games between G_ESF and G_SF′.

https://doi.org/10.1371/journal.pone.0195204.t008

G_ESF−1: The decryption keys are changed to ESF-3. The challenge ciphertext is still ESF-1. The secret keys and update keys are still semi-functional.

G_ESF−2: The challenge ciphertext is changed to ESF-5. The secret keys and the update keys are still semi-functional. The decryption keys are still ESF-3.

G_ESF−3: The decryption keys are changed to ESF-4. The challenge ciphertext is ESF-5. The secret keys and update keys are still semi-functional.

G_ESF−4: The challenge ciphertext is changed to ESF-1. The secret keys and the update keys are semi-functional. The decryption keys are still ESF-4.

G_ESF−5: The challenge ciphertext is changed to semi-functional. The secret keys and the update keys are semi-functional. The decryption keys are still ESF-4.

We firstly prove the indistinguishabilities between G_ESF to G_ESF−1, G_ESF−1 to G_ESF−5. And then we prove the indistinguishability of G_ESF−5 and G_SF′.

Indistinguishability of G_ESF and G_ESF−1. For the security proof of the indistinguishability of G_ESF and G_ESF−1, we define games G_F,1, ⋯, G_{F,h_d}, …, G_{F,q_d} where G_F,0 = G_ESF and G_{F,q_d} = G_ESF−1, and q_d is the number of decryption key queries of an adversary. In the game G_F,h for 1 ≤ h ≤ q_d, the challenge ciphertext is ESF-1, all (H)IBE private keys are semi-functional, the i^st queried decryption key where i ≤ h are of ESF-3, the remaining decryption keys with i > h are ESF-2.

Oracle O_6.1 This oracle initializes in the same way as O₆ and provides the attacker with initial group elements from the same distribution. Upon receiving a challenge decryption-key-type query for I, T ∈ Z_n, it chooses r, y′, r′, y″ ∈ Z_n randomly, and also chooses and randomly. It returns the group elements (62) to the attacker. It responds to a ciphertext-type query or a challenge (H)IBE-key-type query in the same way as O₆.

Lemma 26 Under Assumptions 3, no PPT attacker can distinguish between O₆ and O_6.1 with non-negligible advantage. So no PPT attacker can distinguish between G_{F,h_d−1} and G_{F,h_d} with non-negligible advantage.

Let be the advantage of in a game G_F′,h. From the Lemma 27, we obtain the following equation (63)

Indistinguishability of G_ESF−1 and G_ESF−2. For the security proof of the indistinguishability of G_ESF−1 and G_ESF−2, we define the oracle below.

Oracle O_6.2 This oracle initializes a bit differently from the other oracles. It fixes random elements g, u, h, v, w, u₀, h₀, v₀, w₀ ∈ G_p₁, g₂ ∈ G_p₂, g₃ ∈ G_p₃. It chooses random exponents . It initially provides the attacker with the group elements: (64) What differs from the previous oracles here is the added and term: notice that this is uniformly random in G_p₃, since γ is random modulo p₃ (and uncorrelated from its value modulo p₂). This oracle answers the challenge-key type query in the same way as O_6.1. To answer a ciphertext-type query for I, it chooses random values t ∈ Z_N and responds with: (65) To answer a ciphertext-type query for T, it chooses random values t ∈ Z_N and responds with: (66) It is crucial to note that these G_p₃ terms arethe same for each ciphertext-type query response.

Lemma 27 Under Assumptions 4, no PPT attacker can distinguish between O_6.1 and O_6.2 with non-negligible advantage. So no PPT attacker can distinguish between G_ESF−1 and G_ESF−2 with non-negligible advantage.

From the Lemma 27, we obtain the following equation (67)

Indistinguishability of G_ESF−2 and G_ESF−3: For the security proof of the indistinguishability of G_ESF−2 and G_ESF−3, we define a sequence of games additional hybrid games G_F−2,1, …, G_F−2,h, …, G_{F−2,q_d}, where G_ESF−2 = G_F−2,0 and q_d is the number of decryption key queries of an adversary. In the game G_F−2,h for 1 ≤ h ≤ q_d, the challenge ciphertext is ESF-5, all (H)IBE private keys are semi-functional, the i^st queried decryption key where i ≤ h are of ESF-4, the remaining decryption keys with i > h are ESF-3.

Oracle O_6.3 This oracle initializes in the same way with O_6.2 and provides the attacker the same initial elements as O_6.2. This oracle answers the ciphertext-type query and (H)IBE key- type query in the same way as O_6.2. To answer a challenge decryption key type query for I, I, it chooses random values randomly, and and responds with: (68)

Lemma 28 Under Assumptions 4, no PPT attacker can distinguish between O_6.2 and O_6.3 with non-negligible advantage. So no PPT attacker can distinguish between G_F−2,h and G_F−2,h+1 with non-negligible advantage.

Let be the advantage of in a game G_F−2,h. From the Lemma 28, we obtain the following equation (69)

Indistinguishability of G_ESF−3 and G_ESF−4. For the security proof of the indistinguishability of G_ESF−3 and G_ESF−4, we define the oracle below.

Oracle This oracle initializes in the same way as , and provides the attacker with initial group elements from the same distribution. It also responds to a ciphertext-type query as same as . It responds to the decryption-key-type and (H)IBE-key-type queries in the same way as O_6.3.

Lemma 29 Under Assumptions 4, no PPT attacker can distinguish between O_6.3 and with non-negligible advantage. So no PPT attacker can distinguish between G_ESF−3 and G_ESF−4 with non-negligible advantage.

From the Lemma 29, we obtain the following equation (70)

Indistinguishability of G_ESF−4 and G_ESF−5. We now prove the indistinguishability of G_ESF−4 and G_ESF−5 in a hybrid argument using polynomially many steps. We let q_c denote the number of ciphertext-type queries made by a PPT attacker . Firstly we define hybrid games , , , where and . The games are formally defined as follows:

Game This game for 0 ≤ k ≤ q_c is almost the same as G_ESF−4 except the generation of the challenge ciphertext. The challenge ciphertext of is generated as EST-2^k-CT outputed by EncryptESF-2^k.

Game This game for 0 ≤ k ≤ q_c − 1 is almost the same as G_ESF−4 except the generation of the challenge ciphertext. The challenge ciphertext of is generated as EST-3^k-CT outputed by EncryptESF-3^k.

Game This game for 0 ≤ k ≤ q_c − 1 is almost the same as G_ESF−4 except the generation of the challenge ciphertext. The challenge ciphertext of is generated as EST-4^k-CT outputed by EncryptESF-4^k.

We will define additional oracles for each i from 0 to q_c − 1, and for each i from 0 to q_c − 1.

Oracle This oracle acts the same as except that its response to the ciphertext-type query is as same as .

Lemma 30 Under Assumptions 3, no PPT attacker can distinguish between and with non-negligible advantage. So no PPT attacker can distinguish between and with non-negligible advantage.

Lemma 31 Under Assumptions 4, no PPT attacker can distinguish between and with non-negligible advantage. So no PPT attacker can distinguish between and with non-negligible advantage.

Lemma 32 Under Assumptions 3, no PPT attacker can distinguish between and with non-negligible advantage. So no PPT attacker can distinguish between and with non-negligible advantage.

Let , and be the advantage of in the games , and . From the Lemma 30, 31, 32, we obtain the following equation (71)

Indistinguishability of G_ESF−5 and G_SF′. For the security proof of the indistinguishability of G_ESF−5 and G_SF′, we define hybrid games , where and , and q_d is the number of decryption key queries of an adversary. The oracle and games are formally defined as follows:

Oracle O_13/2 This oracle initializes in the same way as and provides the attacker with initial group elements from the same distribution. Upon receiving a challenge decryption-key-type query for I, T ∈ Z_n, it chooses r, y′, r′, y″ ∈ Z_n randomly, and also chooses and randomly. It returns the group elements (72) to the attacker. It responds to a ciphertext-type query or a challenge (H)IBE-key-type query in the same way as .

Game This game for 1 ≤ h ≤ q_d is almost the same as G_ESF−5 except the generation of decryption keys. The i^st queried decryption key is generated as follows:

i < h: It generates a semi-functional DK_{ID|_k,T}.
i = h: It generates a ESF-5 DK_{ID|_k,T}.
i > h: It generates a ESF-4 DK_{ID|_k,T}.

Game This game for 1 ≤ h ≤ q_d is almost the same as except the generation of the h^st queried decryption key is generated as a semi-functional DK_{ID|_k,T}.

Lemma 33 Under Assumptions 4, no PPT attacker can distinguish between and O_13/2 with non-negligible advantage. So no PPT attacker can distinguish between and with non-negligible advantage.

Lemma 34 Under Assumptions 3, no PPT attacker can distinguish between O_13/2 and O₇ with non-negligible advantage. So no PPT attacker can distinguish between and with non-negligible advantage.

Let be the advantage of in a game G_E′,h. From the Lemma 33, 34, we obtain the following equations

So we obtain the following equation (73)

According to the equations Eqs 56, 61, 73, we obtain the following equation (74)

4.6 Indistinguishability of G_C and G_C′ and Indistinguishability of G_SF′ and G_SF

Lemma 35 Under Assumptions 3 and 4, for any PPT attacker , the difference in ’s advantage between G_θ and G_θ′ is negligible, where θ ∈ {C, SF}.

Proof We suppose there exists a PPT attacker and a symbol of θ ∈ {C, SF} such that ’s advantage changes non-negligibly between Game RHIBE_θ and Game RHIBE_θ′. We will either create a PPT algorithm that breaks Assumption 3 with non-negligible advantage or a PPT algorithm that breaks Assumption 4 with non-negligible advantage.

While playing Game RHIBE_θ under Type-1 adversary, produces two values I, I′ ∈ Z_n which are unequal modulo n but are equal modulo p₃, with non-negligible probability. We let A denote gcd(I − I′, n), and we let B denote n/A. We then have that p₃ divides A, and B ≠ 1.

While playing Game RHIBE_θ under Type-2 adversary, produces two values T, T′ ∈ Z_n which are unequal modulo n but are equal modulo p₃, with non-negligible probability. We let A denote gcd(T − T′, n), and we let B denote n/A. We then have that p₃ divides A, and B ≠ 1.

We consider two possible cases: 1) p₁ divides B and 2) A = p₁p₃, B = p₂. At least one of these cases must occur with non-negligible probability.

If case 1) occurs with non-negligible probability, we can create a which breaks Assumption 3 with non-negligible advantage. receives g, g₂, X₁ X₃, T. It can use these terms to simulate Game RHIBE_β with as follows. It picks values a, b, c, d, a₀, b₀, c₀, d₀ ∈ Z_N uniformly at random and sets u = g^a, h = g^b, v = g^c, w = g^d, , , , , and gives the following public parameters:

We note that knows the master secret key α, so it can easily make normal secret keys, normal update keys and normal decryption keys. Since also knows g₂, it can easily make semi-functional ciphertexts. So can play Game RHIBE_C and Game RHIBE_C′ with .

To make the three kinds of semi-functional keys, uses X₁, X₃ and g₂. More precisely, to make a semi-functional decryption key for T and (I₁, ⋯, I_j), it also chooses random values . It forms the decryption key as:

To make the semi-functional update key of (I₁, ⋯, I_j−1) and T for each θ with its value γ_θ in KUNode(BT_{ID|_j−1}, T, RL_{ID|_j−1}), chooses random values . forms the challenge update key for as:

To make the semi-functional secret key of (I₁, ⋯, I_j) and T for each θ with its value γ_θ in Path(ID|_j), chooses random values r_{1, θ}, ⋯, r_{j, θ} ∈ Z_n. forms the challenge secret key for as:

So can play Game RHIBE_SF and Game RHIBE_SF′ with . Now, if fails to produce I, I′ or T, T′ such that gcd(I − I′, n) = A or gcd(T − T′, n) = A is divisible by p₃ and p₁ divides B = n/A, then guesses randomly. However, with non-negligible probability, will produce such an I, I′ or T, T′. can detect this by computing A = gcd(I − I′, n) or A = gcd(T − T′, n) and B = n/A, checking that g^B is the identity element (this will occur only if p₁ divides B since g has order p₁ in G) and checking that (X₁ X₃)^B ≠ 1 (this confirms that p₃ does not divide B, hence it must divide A). When detects this situation, it can test whether T ∈ G_p₁ or T ∈ G_p₁p₃ by testing if T^B is 1. If T^B = 1 holds, then T ∈ G_p₁. If T^B ≠ 1, then T ∈ G_{p₁ p₃}. Thus, achieves non-negligible advantage in breaking Assumption 3.

If case 2) occurs with non-negligible probability, we can create a which breaks Assumption 4 with non-negligible advantage. receives g, g₃, X₁ X₂, Y₂ Y₃, T. It can use these terms to simulate Game RHIBE_θ with as follows. It gives the public parameters like in the case 1. We note that B knows the master secret key α, so it can easily make normal keys.

To make a semi-functional ciphertext for T and and message M, chooses random values t₀, t₁, ⋯, t_l ∈ Z_n and forms the ciphertext as:

We note that this will set σ₁ = c₁ modulo p₂ and σ₂ = c₂ modulo p₂. To make a semi-functional decryption key for (I₁, ⋯, I_j), chooses random values y₀, y₁, ⋯, y_j, r₀, r₁, ⋯, r_j ∈ Z_n. It forms the key as:

To make the semi-functional update key of (I₁, ⋯, I_j−1) and T for each θ with its value γ_θ in KUNode(BT_{ID|_j−1}, T, RL_{ID|_j−1}), chooses random values y_0,θ, y_1,θ, ⋯, y_j−1,θ, r_0,θ, r_1,θ, ⋯, r_j−1,θ ∈ Z_n. forms the challenge update key for as:

To make the semi-functional secret key of (I₁, ⋯, I_j) and T for each θ with its value γ_θ in Path(ID|_j), chooses random values y_1,θ, ⋯, y_j,θ, r_1,θ, ⋯, r_j,θ ∈ Z_n. forms the challenge secret key for as:

We note that the semi-functional ciphertext and keys are well-distributed, and share the common value of σ₁ = c₁ modulo p₂ and σ₂ = c₂ modulo p₂ as required. We note that the G_p₂ terms on the ciphertext are random because the value of d modulo p₂ and d₀ modulo p₂ does not appear elsewhere.

Now, if fails to produce I, I′ such that gcd(I − I′, n) = A or T, T′ such that gcd(T − T′, n) = A, where A = p₁ p₃ and B = p₂, then guesses randomly. However, with non-negligible probability, will produce such an I, I′ or T, T′. can detect this by computing A, B and testing that g^B and are not the identity element (this confirms that B = p₂, since it demonstrates the p₁ and p₃ do not divide B). Now, can learn whether T has a G_p₂ component or not by testing if T^A is the identity element or not. If it is not, then T has a G_p₂ component. Thus, achieves non-negligible advantage in breaking Assumption 4.

4.7 Indistinguishability of G_Real and G_C

Lemma 36 If the Assumption 1 holds, then no polynomial-time adversary can distinguish G_Real and G_C.

Proof. We assume there is a PPT attacker such that achieves a non-negligible difference in advantage between Game G_Real and Game G_C. We will create a PPT algorithm which breaks Assumption 1 with non-negligible advantage. is given g ∈ G_p₁ and T. chooses a, b, c, d, a₀, b₀, c₀, d₀, α randomly from Z_p and set . It gives the public parameters (75) to . Since knows the master secret key α, it can respond to ’s key requests by calling the key generation update and derive algorithm and giving the resulting keys.

At some point, provides two messages M₀, M₁ and requests the challenge ciphertext for some identity vector, denoted by at the time T*. forms the ciphertext as follows. It chooses t₀, t₁, …t_l randomly from Z_p and β randomly from {0, 1} and sets: (76) This implicitly sets g^s equal to the G_p₁ part of T. If T ∈ G_p₁, then this is a well-distributed normal ciphertext, and has properly simulated Game G_Real. If T ∈ G_p₁p₂, then this is a well-distributed semi-functional ciphertext (since the values of d modulo p₂ and d₀ modulo p₂ are uncorrelated from their values modulo p₁ by the Chinese Remainder Theorem). Hence, has properly simulated Game G_C in this case. Thus, can use the output of to achieve a non-negligible advantage against Assumption 1.

4.8 Indistinguishability of G_SF and G_Final

Lemma 37 If the Assumption 2 holds, then no polynomial-time adversary can distinguish G_SF and G_Final.

Proof We suppose there exists a PPT attacker who achieves a non-negligible advantage in Game RHIBE_SF. We will create a PPT algorithm which has a non-negligible advantage against Assumption 2.

receives g, g₂, g₃, g^α X₂, g^s Y₂, T. It chooses a, b, c, d, a₀, b₀, c₀, d₀ randomly from Z_p and sets . It gives the public parameters (77) to . We note that does not know the master secret key α. For a secret key query for (I₁, ⋯, I_k), will create a semi-functional secret key as follows. It chooses f₁ randomly and r_1,θ, ⋯, r_k,θ, b_1,θ, ⋯, b_k,θ ∈ Z_p randomly for each node θ ∈ Path(ID_k). The semi-functional secret key SK_{ID|_k} is formed as ({θ, PSK_θ}_θ∈path), in which and we have as (78)

This is a well-distributed semi-functional secret key with ψ_1,θ = d + 1, σ_1,θ = c(mod p₂p₃) and y₁ = f₁(mod p₂p₃). Notice that y₁ is freshly random modulo p₂ and p₃ for each key, while σ_2,θ, ψ_2,θ are the same for all update keys.

For an update key query for (I₁, ⋯, I_j−1) and T, generates a semi-functional update key as follows. It chooses randomly for each node θ ∈ KUNode(BT_{ID_j−1}) and f₂ randomly. And it will implicitly set mod p₁. The semi-functional update key is formed as UK_{ID|_j−1,T} = ({θ, TUK_θ}_θ∈KUNode) and : (79) This is a well-distributed semi-functional update key with ψ_2,θ = d₀ + 1, σ_2,θ = c₀(mod p₂p₃) and y₂ = f₂(mod p₃), y₂ = (f₂ + log_g₂ X₂)(mod p₂), then . Notice that y₂ is freshly random modulo p₂ and p₃ for each update key, while σ_2,θ, ψ_2,θ are the same for all update keys.

In response to a decryption key query for (I₁, ⋯, I_j) and T. generates the semi-functional secret key and the semi-functional update key at first, and derives an semi-functional decryption key which is formed as (80) This is a well-distributed semi-functional decryption key.

At some point, provides with two messages M₀, M₁, a challenge identity vector and a challenge time T*. creates the challenge ciphertext as follows. It chooses randomly from Z_n and β randomly from {0, 1} and sets: (81) If T = e(g, g)^αs, this is a well-distributed semi-functional encryption of M_β with . Notice that and randomize these so that there is no correlation with d or d₀ modulo p₂. Hence this is uncorrelated from the exponents modulo p₂ of the semi-functional keys. In this case, has properly simulated Game RHIBE_SF.

If T is a random element of G_T, then this is a semi-functional encryption of a random message, and hence the ciphertext contains no information about β. In this case, the advantage of must be zero. Since we have assumed the advantage of is non-negligible in Game RHIBE_SF, can use the output of to obtain a non-negligible advantage against Assumption 2.

This completes the proof of Theorem 1.

5 Conclusion

In this paper, we propose a RHIBE scheme by combining the unbounded LW-(H)IBE and the CS method in a modular way in composite bilinear groups. Moreover, our construction has the advantages of decryption key exposure resistance and short system public parameters. Since neither the naive dual system encryption for bounded RHIBEs nor the naive nested dual system encryption for unbounded HIBEs work in our unbounded RHIBE, we carefully re-design the hybrid games to show the information theoretic arguments successfully in the dual system encryption framework. Our RHIBE is the first unbounded RHIBE scheme that achieves the adaptive security.

A Defination of the ephemeral semi-functional ciphertexts and keys

In the defination of the first type of ephemeral semi-functional ciphertext, we add G_p₂ term on every element of all ciphertext-element-groups. We define a sequence of type-2 ephemeral semi-functional ciphertexts with the index 0 ≤ k ≤ l, every element of the first k − 1 ciphertext-element-groups is in G_p₁p₂, and only the first elements of the rest of ciphertext-element-groups are added by G_p₂ terms. In the defination of the third type of ephemeral semi-functional ciphertext, every element of the first i − 1 ciphertext-element-groups is in G_p₁p₂; for the i^st ciphertext-element-group, the first element is in G_p₁p₂p₃, its rest elements are in G_{p₁ p₃}; and for the rest ciphertext-element-groups, we add G_p₂ terms on the first elements of them. In the defination of the fourth type of ephemeral semi-functional ciphertext, every elements of the first i − 1 ciphertext-element-groups are in G_p₁p₂, every elements of the i^st ciphertext-element-group are in G_p₁p₂p₃, and for the rest ciphertext-element-groups, we add G_p₂ terms on the first elements of them. In the defination of the fifth type of ephemeral semi-functional ciphertext, every element of all ciphertext-element-groups is in G_p₁p₂p₃.

EncryptESF-1 Let the normal ciphertext be . It chooses γ, δ₁, δ₂, a′, b′, and random t₀, …, t_j ∈ Z_n and forms the ESF-1-CT as

EncryptESF-2^k It chooses γ, δ₁, δ₂, a′, b′, and random t₀, …, t_k ∈ Z_n. It forms the first two elements and the first k element-groups of ESF-2^k-CT as same as of ESF-1-CT, and the rest element-groups of ESF-2^k-CT as same as of SF-CT.

EncryptESF-3^k It chooses γ, δ₁, δ₂, a′, b′, and random t₀, …, t_k ∈ Z_n, random X₃, Y₃ ∈ G_p₃. It forms the first two elements and the first k − 1 element-groups of ESF-3^k-CT as same as of ESF-1-CT, and the k^st element-group of ESF-3^k-CT as and the rest element-groups of ESF-3^k-CT as same as of SF-CT.

EncryptESF-4^k It chooses γ, δ₁, δ₂, a′, b′, and random t₀, …, t_k ∈ Z_n, random X₃, Y₃ ∈ G_p₃. It forms the first two elements and the first k − 1 element-groups of ESF-4^k-CT as same as of ESF-1-CT, and the k^st element-group of ESF-4^k-CT as and the rest element-groups of ESF-4^k-CT as same as of SF-CT.

EncryptESF-5 Let the normal ciphertext be . It chooses γ, δ₁, δ₂, a′, b′, g₃ ∈ G_p₃, and random . It forms the first two elements of as , and forms the element-groups of ESF-5-CT as

In the defination of the first type of ephemeral semi-functional secret key, we add G_p₃ term on the last 2 elements of the last element-group. In the defination of the second type of ephemeral semi-functional secret key, we add G_p₂p₃ term on the last 2 elements of the last element-group. In the defination of the third type of ephemeral semi-functional secret key, we add G_p₃ term on the first 2 elements of the last element-group and add G_p₂p₃ term on the last 2 elements of the last element-group. In the defination of the fourth type of ephemeral semi-functional secret key, every element of the last element-group is in G_p₁p₂p₃. In the defination of the fifth type of ephemeral semi-functional secret key, the first 2 elements and the last element of the last element-group is in G_{p₁ p₂ p₃}, and the third element of the last element-group is in G_{p₁ p₃}.

SKeyESF-1 Let the correlative component key to the node θ ∈ Path(ID_j) in the BT_{ID|_j−1} be . It chooses random values X₃, Y₃ ∈ G_p₃ and forms the component ESF-1-SK by changing the last element-group as

SKeyESF-2 Let the correlative component key to the node θ ∈ Path(ID_j) in the BT_{ID|_j−1} be . It chooses random values X₂, Y₂ ∈ G_p₂, X₃, Y₃ ∈ G_p₃ and forms the component ESF-2-SK by changing the last element-group as

SKeyESF-3 It chooses chooses y′, r ∈ Z_p randomly, X₂, Y₂ ∈ G_p₂ randomly, and X₃, Y₃ ∈ G_p₃ randomly and forms the component seceret key ESF-3-SK by constructing κ(I_j, y′, r) in the last element-group as

And the contruction of the other element-groups follows the construction of SK_{HIBE,S_θ} in RHIBE.GenKey.

SKeyESF-4 It chooses chooses y′, r ∈ Z_p randomly, X₂, Y₂ ∈ G_p₂ randomly, and X₃, Y₃ ∈ G_p₃ randomly and forms the component ESF-4-SK by constructing κ(I_j, y′, r) in the last element-group as

And the contruction of the other element-groups follows the construction of SK_{HIBE,S_θ} in RHIBE.GenKey.

SKeyESF-5 It chooses chooses y′, r ∈ Z_p randomly, X₂ ∈ G_p₂ randomly, and X₃, Y₃ ∈ G_p₃ randomly and forms the component ESF-5-SK by by constructing κ(I_j, y′, r) in the last element-group as

And the contruction of the other element-groups follows the construction of SK_{HIBE,S_θ} in RHIBE.GenKey.

The constructions from the normal component update key to the (ephemeral) semi-functional component update keys are similar to that of secret keys, expect that we change the first element group of normal component update key to different types.

UKeyESF-1 Let the correlative component key to the node θ ∈ KUNode(RL_{ID|_j−1,T}) be . It chooses random values and forms the ephemeral semi-functional secret key by changing the first element group as It chooses random values X₃, Y₃ ∈ G_p₃ and forms the component ESF-1-SK by changing the first element-group as

UKeyESF-2 Let the correlative component key to the node θ ∈ KUNode(RL_{ID|_j−1,T}) be . It chooses random values and forms the ephemeral semi-functional secret key by changing the first element group as

UKeyESF-3 It chooses chooses y′, r ∈ Z_p randomly, X₂, Y₂ ∈ G_p₂ randomly, and X₃, Y₃ ∈ G_p₃ randomly and forms the component seceret key ESF-3-UK by constructing κ_T(T, y′, r) of the first element-group as

And the contruction of the other element-groups follows the construction of RSK_HIBE and SK_{IBE,S_θ} in RHIBE.UpdateKey.

UKeyESF-4 It chooses chooses y′, r ∈ Z_p randomly, X₂, Y₂ ∈ G_p₂ randomly, and X₃, Y₃ ∈ G_p₃ randomly and forms the component ESF-4-UK by constructing κ_T(T, y′, r) in the first element-group as

And the contruction of the other element-groups follows the construction of RSK_HIBE and SK_{IBE,S_θ} in RHIBE.UpdateKey.

UKeyESF-5 It chooses chooses y′, r ∈ Z_p randomly, X₂ ∈ G_p₂ randomly, and X₃, Y₃ ∈ G_p₃ randomly and forms the component ESF-5-UK by by constructing κ_T(T, y′, r) in the first element-group as

And the contruction of the other element-groups follows the construction of RSK_HIBE and SK_{IBE,S_θ} in RHIBE.UpdateKey.

DKeyESF-i The ephemeral semi-functional decryption key generation algorithm firstly retrieves θ* ∈ KUNode(RL_{ID|_j−1,T})⋂ Path(ID|_j), and gets and which are the correlative subkey to the node θ* from UKeyESF − i(T, ST_{ID|_j−1}, θ*) and SKeyESF − i(ID|_j, θ*), and then forms the ephemeral semi-functional decryption key as same as DeriveKeySF.

B Proof of lemmas

Lemma 1 Under Assumptions 3, no PPT attacker can distinguish between O₀ and O_1/2 with non-negligible advantage. So no PPT attacker can distinguish between H_{h_c−1,2} and H_{h_c,1} with non-negligible advantage.

Proof We assume interacts with one of O₀, O_1/2. receives g, g₂, X₁ X₃, Y₁ Y₃, T. will simulate either O₀ or O_1/2 with , depending on the value of T (which is either in G_p₁ or G_{p₁ p₃}). picks values a, b, c, d, a₀, b₀, c₀, d₀ ∈ Z_N uniformly at random and sets u = g^a, h = g^b, v = g^c, w = g^d, , , , . initially obtains the group elements (82) from its oracle simulator who additionally chooses randomly.

We note that these are properly distributed, with y modulo p₁ implicitly set to the discrete logarithm of X₁ base g modulo p₁, equal to d modulo p₂ and p₃, y₀ modulo p₁ implicitly set to the discrete logarithm of Y₁ base g modulo p₁, equal to d₀ modulo p₂ and p₃, and σ equal to c modulo p₂ and p₃. Note that the values of c modulo p₁, p₂, p₃ are uncorrelated from each other by the Chinese Remainder Theorem, and v = g_c only involves the value of c modulo p₁.

chooses α ∈ Z_n randomly, and gives the following public parameters: (83)

We note that knows the master secret key α. When requests a normal update key or a normal decryption key, can responds by using the usual key generation algorithm, since it knows α. And also can respond the semi-functional keys according to the group elements in Eq 82 that have been offered by the oracle simulator.

When requests the challenge ciphertext for messages M₀, M₁, identity vector and T*, makes a ciphertext-type query to the oracle for each and T*. When makes a ciphertext-type query for some identity I*, responds by choosing a random t ∈ Z_N and returning to as same as Eq 6. When makes a ciphertext-type query for some time T*, responds by choosing a random t₀ ∈ Z_N and returning as same as Eq 7 to . Then creats the semi-functional ciphertexts as

When creats the HIBE private key with the index pair (h, i_c) for some identity vector (I₁, ⋯, I_j) in the index h node, the HIBE private key with an index pair (h, i_c) is generated as follows:

i_c < h_c: It randomly chooses y₁, ⋯, y_j, and generates a ESF-2-SK SK_{HIBE,θ_h}.
It implicitly sets to be and that is a properly distribution ESF-2-SK.
i_c = h_c: chooses random values y₁, ⋯, y_j−1, λ₁, ⋯, λ_j−1, r₁, ⋯, r_j−1 ∈ Z_n. forms the challenge key as: where (T₀, T₁, T₂, T₃) is the challenge HIBE key queried to who chooses a random y₀ ∈ Z_N and returns (T₀, T₁, T₂, T₃) = (w^y′, g^y′, v^y′ T^aI+b, T) to .
i_c > h_c: It simply generates a normal HIBE private key.

In the challenge HIBE key, it implicitly sets g^r to be the G_p₁ part of T. If T ∈ G_p₁, then this matches the distribution of O₀ (since there are no G_p₃ terms here), and so this will be a properly distributed normal key and is playing Game H_{h_c−1,2}. If T ∈ G_p₁p₃, then this matches the distribution of O_1/2 (note that a, b modulo p₂ are uniformly random and do not occur elsewhere- so there are random G_p₃ terms attached to the last two group elements) and then is playing Game H_{h_c,1}.

Hence, if a PPT attacker can distinguish between H_{h_c−1,2} and H_{h_c,1} with non-negligible advantage, can distinguish between O₀ and O_1/2 with non-negligible advantage. It means can gain a non-negligible advantage against Assumption 3.

Thus, under Assumptions 3, no PPT attacker can distinguish between O₀ and O_1/2 with non-negligible advantage and no PPT attacker can distinguish between H_{h_c−1,2} and H_{h_c,1} with non-negligible advantage.

Lemma 2 Under Assumptions 4, no PPT attacker can distinguish between O_1/2 and O₁ with non-negligible advantage. So no PPT attacker can distinguish between H_{h_c,1} and H_{h_c,2} with non-negligible advantage.

Proof We assume interacts with one of O_1/2, and O₁. receives g, g₃, X₁ X₂, Y₂ Y₃, T. will simulate either O_1/2 or O₁ with , depending on the value of T (which is either in G or G_p₁p₃). picks values a, b, c, d, a₀, b₀, c₀, d₀ ∈ Z_N uniformly at random and sets u = g^a, h = g^b, v = g^c, w = g^d, , , , . initially obtains the group elements (84) from its oracle simulator, where y, ψ₁, ψ₂, σ₁, σ₂ ∈ Z_p are randomly chosen. It chooses α ∈ Z_n randomly, and gives the public parameters in Eq 83.

When requests the challenge ciphertext for messages M₀, M₁, identity vector and T*, makes a ciphertext-type query to the oracle for each and T*. In response to each query for , responds to by choosing a random t_i ∈ Z_N. In response to the query for T*, responds to by choosing a random t₀ ∈ Z_N. Then creats the semi-functional ciphertexts successfully.

When creats the HIBE private key with the index pair (h, i_c) for some identity vector (I₁, ⋯, I_j) in the index h node, the HIBE private key with an index pair (h, i_c) is generated as follows:

i_c < h_c: chooses random values y₁, ⋯, y_j, λ₁, ⋯, λ_j−1, r₁, ⋯, r_j, z, z′ ∈ Z_n and generates a ESF-2 PSK_HIBE,h.
i_c = h_c: chooses random values y₁, ⋯, y_j−1, λ₁, ⋯, λ_j−1, r₁, ⋯, r_j−1 ∈ Z_n. forms the challenge key as: where (T₀, T₁, T₂, T₃) is the challenge HIBE key queried to who chooses a random y₀ ∈ Z_N and returns (T₀, T₁, T₂, T₃) = (w^y′, g^y′, v^y′ T^aI+b, T) to .
i_c > h_c: It simply generates a normal HIBE private key.

As in the previous lemma, this implicitly sets g_r to be the G_p₁ part of T in the challenge HIBE key. We note that a, b modulo p₂,p₃ are uniformly random and do not appear elsewhere. Thus, when T ∈ G_p₁p₃, these last two terms will have random elements of G_p₃ attached (matching the distribution of O_1/2) and then is playing Game H_{h_c,1}. And when T ∈ G, these last two terms will have random elements in both G_p₃ and G_p₂ attached (matching the distribution of O₁) and then is playing Game H_{h_c,2}.

Hence, if a PPT attacker can distinguish between H_{h_c,1} and H_{h_c,2} with non-negligible advantage, can distinguish between O_1/2 and O₁ with non-negligible advantage. It means can gain a non-negligible advantage against Assumption 4.

Thus, Under Assumptions 4, no PPT attacker can distinguish between O_1/2 and O₁ with non-negligible advantage. Thus, no PPT attacker can distinguish between H_{h_c,1} and H_{h_c,2} with non-negligible advantage.

Lemma 3 Under Assumptions 3, no PPT attacker can distinguish between and with non-negligible advantage. So no PPT attacker can distinguish between S_k−1,1 and S_k,2 with non-negligible advantage.

Proof We assume interacts with one of . receives g, g₂, X₁ X₃, Y₁ Y₃, T. will simulate either or with , depending on the value of T (which is either in G_p₁ or G_{p₁ p₃}). initially obtains the group elements in Eq 82 from its oracle simulator. It chooses α ∈ Z_n randomly, and gives the public parameters in Eq 83. B can responds by using the normal update key generation and the normal decryption key derivation algorithm, since it knows α.

When makes a secret key query for the identity ID|_j = (I₁, ⋯, I_j), then makes its challenge HIBE-key-type query for I_j, responds as follows. It chooses y′, r, r₁, r₂ ∈ Z_N randomly and responds with:

When requests the challenge ciphertext for messages M₀, M₁, identity vector and T*, makes a ciphertext-type query to the oracle for each and T*. In response to each query for or T*, gets random t₀, t₁, …, t_l ∈ Z_p, chooses β ∈ {0, 1} and creats the ciphertext as where the ciphertext-element-group (C_i,1, C_i,2, C_i,3) is defined as follows:

i < k: If i = 0, and responds with the ciphertext-element-group , else the element group is ;
i = k: The ciphertext-element-group is (T₁, T₃, T₂) = ;
i > k: The ciphertext-element-group is .

We must now argue that the challenge key-type query and the k^th ciphertext-type query responses are properly distributed. If T ∈ G_p₁, then the response to the k ciphertext type query is identically distributed to a response from O₁, and the values a, b modulo p₃ only appear in the response to the challenge key-type query, hence the G_p₃ parts on the last two group elements here appear random in G_p₃. This will be a properly distributed EST-2^k−1-CT which means that the responses of properly simulate the responses of and is playing Game S_k−1,1.

If T ∈ G_{p₁ p₃}, then we must argue that aI + b and both appear to be uniformly random modulo p₃: this follows from pairwise independence of the function aI + b modulo p₃, since we have restricted the Type-1 adversary to choose I and so that modulo p₃. This means that the G_p₃ components on the last two group elements of the challenge key-type query response and on the k ciphertext-type query response are uniformly random in the attacker’s view. In this case, has produced a properly distributed EST-3^k-CT which means that has properly simulated the responses of and is playing Game S_k,2.

Particularly, we need overcome the paradox in the game hopping from Game S_{q_c−1,1} to Game S_{q_c,2} since the simulator can derive a decryption key and check whether the ciphertext is normal or semi-functional by being decrypted by the semi-functional derived decryption key from secret keys and update keys. For the game hopping from Game S_{q_c−1,1} to Game S_{q_c,2}, no matter whether T ∈ G_p₁p₃ or T ∈ G_p₁, the cipertext- element-group (T₁, T₃, T₂) can be decrypted by the decryption key derived from the ESF-2-SK and normal update key. So the paradox is overcame successfully. (The other paradox need to overcome is in the game hopping from Game L_{q_c−1,1} to Game L_{q_c,2}. In Lamma 23, the paradox can be overcame In the same way.)

Hence, if a PPT attacker can distinguish any pair between S_k−1,1 and S_k,2 with non-negligible advantage, can distinguish the corresponding pair between and with non-negligible advantage. It means can use the output of to achieve a non-negligible advantage against Assumption 3.

Thus, Under Assumptions 3, no PPT attacker can distinguish between and with non-negligible advantage. Thus, no PPT attacker can distinguish between S_k−1,1 and S_k,2 with non-negligible advantage.

Lemma 4 Under Assumptions 4, no PPT attacker can distinguish between and with non-negligible advantage. So no PPT attacker can distinguish between S_k,2 and S_k,3 with non-negligible advantage.

Proof We assume interacts with one of . receives g, g₃, X₁ X₂, Y₂ Y₃, T. will simulate either or with , depending on the value of T (which is either in G or G_{p₁ p₃}). picks values a, b, c, d, a₀, b₀, c₀, d₀ ∈ Z_N uniformly at random and sets u = g^a, h = g^b, v = g^c, w = g^d, , , , . initially obtains the group elements (85) from its oracle simulator where z, y₀, y, ψ ∈ Z_p are randomly chosen. These are properly distributed, with g^s = X₁ and . Note that this sets σ₁ equal to c modulo p₂ and p₃ and σ₂ equal to c₀ modulo p₂ and p₃. It chooses α ∈ Z_n randomly, and gives the following public parameters in Eq 83. We note that knows the master secret key α. When requests a normal update key or a normal decryption key, can responds by using the usual key generation algorithm, since it knows α.

When makes a secret key query for the identity ID|_j = (I₁, ⋯, I_j), then makes its challenge HIBE-key-type query for I_j, responds as follows. It chooses y′, r, r₁, r₂ ∈ Z_N randomly and responds with:

This has uniformly random terms in G_p₂ and G_p₃ on the last two elements, since r₁, r₂ are both uniformly random modulo p₂ and p₃.

When requests the challenge ciphertext for messages M₀, M₁, identity vector and T*, makes a ciphertext-type query to the oracle for each and T*. In response to each query for or T*, gets random , chooses β ∈ {0, 1} and creats the ciphertext as where the ciphertext-element-group (C_i,1, C_i,2, C_i,3) is defined as follows:

i < k: If i = 0, the ciphertext-element-group is else the ciphertext-element-group is
This sets and , which is uniformly random because the value of d and d₀ modulo p₂ will not appear elsewhere. It implicitly sets . This is identically distributed to a response from O₂, with a′, b′ equal to a, b modulo p₂, and σ₁ = c modulo p₂, σ₂ = c₀ modulo p₂. We note that this is in the only context in which the values of a, b modulo p₂ appear, so this is equivalent to choosing a′, b′ independently at random.
i = k: If k = 0, the ciphertext-element-group is (T₁, T₃, T₂) = ; If k > 0, the ciphertext-element-group is (T₁, T₃, T₂) = ;
i > k: The ciphertext-element-group is .

If T ∈ G_p₁p₃, then the response for ciphertext-type query i is identically distributed to a response from .

In this case, has produced a properly distributed EST-3^k-CT and is playing Game S_k,2.

If T ∈ G, then this response additionally has terms in G_p₂ which are appropriately distributed with c = σ₁, a = a′, b = b′ modulo p₂ or c₀ = σ₂.a₀ = a′, b₀ = b′ modulo p₂. Thus, the response is identically distributed to a response from . In this case, has produced a properly distributed EST-4^k-CT and is playing Game S_k,3.

Hence, if a PPT attacker can distinguish any pair between S_k,2 and S_k,3 with non-negligible advantage, can distinguish the corresponding pair between and with non-negligible advantage. It means can use the output of to achieve a non-negligible advantage against Assumption 4.

Thus, Under Assumptions 4, no PPT attacker can distinguish between and with non-negligible advantage. Thus, no PPT attacker can distinguish between S_k,2 and S_k,3 with non-negligible advantage.

Lemma 5 Under Assumptions 3, no PPT attacker can distinguish between and with non-negligible advantage. So no PPT attacker can distinguish between S_k,3 and S_k,1 with non-negligible advantage.

Proof We assume interacts with one of . receives g, g₂, X₁ X₃, T. will simulate either or with , depending on the value of T (which is either in G_p₁ or G_p₁p₃). initially obtains the group elements in Eq 82 from its oracle simulator. It chooses α ∈ Z_n randomly, and gives the public parameters in Eq 83. B can responds by using the normal update key generation and the normal decryption key derivation algorithm, since it knows α.

When makes a secret key query for the identity ID|_j = (I₁, ⋯, I_j), then makes its challenge HIBE-key-type query for I_j, responds as follows. It chooses y′, r, r₁, r₂ ∈ Z_N randomly and responds with:

We note that the G_p₂ parts here are uniformly random.

When requests the challenge ciphertext for messages M₀, M₁, identity vector and T*, makes a ciphertext-type query to the oracle for each and T*. In response to each query for or T*, gets random t₀, t₁, …, t_l ∈ Z_p, chooses β ∈ {0, 1} and creats the ciphertext as where the ciphertext-element-group (C_i,1, C_i,2, C_i,3) is defined as follows:

i < k: If i = 0, responds with the ciphertext-element-group , else the element group is . This is identically distributed to a response from O₂.
i = k: choses z ∈ Z_p randomly and responds with the ciphertext-element-group (T₁, T₃, T₂) = if k > 0. Else if k = 0, responds with . We note that the G_p₂ parts here are properly distributed, since σ₁ = c modulo p₂ and σ₂ = c₀ modulo p₂.
i > k: The ciphertext-element-group is . This is identically distributed to a response from O₁.

When T ∈ G_p₁ the values of a, b modulo p₃ only appear in the response to the challenge key-type query, which means that the G_p₃ terms on the last two group elements there are uniformly random. Also, the response to the k^th ciphertext-type query is distributed exactly like a response from O₂. In this case, has properly simulated the responses of and this will be a properly distributed EST-2^k-CT and so is playing Game S_k,1.

When T ∈ G_p₁p₃, we must argue that the values aI + b and appear uniformly random modulo p₃: this follows by pairwise independence of aI + b as a function of I modulo p₃, since we have restricted the Type-1 adversary to choose I and so that modulo p₃ and a, b modulo p₃ only appear in these two values. Hence, has produced a properly distributed EST-4^k-CT and has properly simulated the response of in this case. So is playing Game S_k,3. We have thus shown that can use the output of to achieve non-negligible advantage against Assumption 3.

Hence, if a PPT attacker can distinguish any pair between S_k,3 and S_k,1 with non-negligible advantage, can distinguish the corresponding pair between and with non-negligible advantage. It means can use the output of to achieve a non-negligible advantage against Assumption 3.

Thus, Under Assumptions 3, no PPT attacker can distinguish between and with non-negligible advantage. Thus, no PPT attacker can distinguish between S_k,3 and S_k,1 with non-negligible advantage.

Lemma 6 Under Assumptions 3, no PPT attacker can distinguish between O₂ and O_5/2 with non-negligible advantage. So no PPT attacker can distinguish between E_{h_c−1,2} and E_{h_c,1} with non-negligible advantage.

Proof We assume interacts with one of O₂ and O_5/2. receives g, g₂, X₁ X₃, Y₁ Y₃, T. will simulate either O₂ and O_5/2 with , depending on the value of T (which is either in G_p₁ or G_{p₁ p₃}). picks values a, b, c, d, a₀, b₀, c₀, d₀ ∈ Z_N uniformly at random and sets u = g^a, h = g^b, v = g^c, w = g^d, , , , . initially obtains the group elements in Eq 82 from its oracle simulator who additionally chooses randomly.

chooses α ∈ Z_n randomly, and gives the public parameters in Eq 83. We note that knows the master secret key α. When requests a normal decryption key, can responds by using the usual key generation algorithm, since it knows α.

When requests the challenge ciphertext for messages M₀, M₁, identity vector and T*, makes a ciphertext-type query to the oracle for each and T*. When makes a ciphertext-type query for some identity I*, responds by choosing a random t ∈ Z_N and returning to as same as Eq 10. When makes a ciphertext-type query for some time T*, responds by choosing a random t₀ ∈ Z_N and returning as same as Eq 11 to . Then creats the ESF-1 ciphertexts successfully.

When requests the secret key of an identity vector ID|_j = (I₁, ⋯, I_j), creats the ESF-2-SK key by the HIBE-type query response from and the secret key for ID|_j in some node θ is where y₁, ⋯, y_j, are randomly chosen.

When creats the IBE private key with the index pair (h, i_c) for some time for the identity vector (I₁, ⋯, I_j−1) in the index h node, the update key with an index pair (h, i_c) is generated as follows:

i_c < h_c: It randomly chooses y₀, ⋯, y_j−1, λ₁, ⋯, λ_j−1, , z, z′ ∈ Z_n and generates a ESF-2-UK TUK_{ID|_l,T,θ_h}.
It implicitly sets to be and that is a properly distribution ESF-2-UK.
i_c = h_c: chooses random values y₁, ⋯, y_j−1, λ₁, ⋯, λ_j−1, r₁, ⋯, r_j−1 ∈ Z_n. forms the challenge key as: where (T₀, T₁, T₂, T₃) is the challenge IBE key queried to who chooses a random y₀ ∈ Z_N and returns (T₀, T₁, T₂, T₃) = to .
i_c > h_c: It simply generates a normal IBE private key.

In the challenge IBE key, it implicitly sets g^r to be the G_p₁ part of T. If T ∈ G_p₁, then this matches the distribution of O₀ (since there are no G_p₃ terms here), and so this will be a properly distributed normal key and is playing Game E_{h_c−1,2}. If T ∈ G_p₁p₃, then this matches the distribution of O_1/2 (note that a, b modulo p₂ are uniformly random and do not occur elsewhere- so there are random G_p₃ terms attached to the last two group elements) and then is playing Game E_{h_c,1}.

Hence, if a PPT attacker can distinguish between E_{h_c−1,2} and E_{h_c,1} with non-negligible advantage, can distinguish between O₂ and O_5/2 with non-negligible advantage. It means can gain a non-negligible advantage against Assumption 3.

Thus, Under Assumptions 3, no PPT attacker can distinguish between O₂ and O_5/2 with non-negligible advantage. Thus, no PPT attacker can distinguish between E_{h_c−1,2} and E_{h_c,1} with non-negligible advantage.

Lemma 7 Under Assumptions 4, no PPT attacker can distinguish between O_5/2 and O₃ with non-negligible advantage. So no PPT attacker can distinguish between E_{h_c,1} and E_{h_c,2} with non-negligible advantage.

Proof We assume interacts with one of O_1/2, and O₁. receives g, g₃, X₁ X₂, Y₂ Y₃, T. will simulate either O_1/2 or O₁ with , depending on the value of T (which is either in G or G_p₁p₃). picks values a, b, c, d, a₀, b₀, c₀, d₀ ∈ Z_N uniformly at random and sets u = g^a, h = g^b, v = g^c, w = g^d, , , , . initially obtains the group elements in Eq 84 from its oracle simulator, and gives the public parameters in Eq 83.

When requests the challenge ciphertext for messages M₀, M₁, identity vector and T*, makes a ciphertext-type query to the oracle for each and T*. When makes a ciphertext-type query for some identity I*, responds by choosing a random t ∈ Z_N and returning to as same as Eq 10. When makes a ciphertext-type query for some time T*, responds by choosing a random t₀ ∈ Z_N and returning as same as Eq 11 to . Then creats the ESF-1 ciphertexts successfully.

When requests the secret key of an identity vector ID|_j = (I₁, ⋯, I_j), creats the ESF-2-SK key by the HIBE-type query response from and the secret key for ID|_j in some node θ is where y₁, ⋯, y_j, are randomly chosen.

When creats the IBE private key with the index pair (h, i_c) for a time T in the index h node in the binary tree BT_{ID|_j = (I₁, ⋯, I_j−1)}, the update key with an index pair (h, i_c) is generated as follows:

i_c < h_c: chooses random values y₁, ⋯, y_j−1, λ₁, ⋯, λ_j−1, r₀, ⋯, r_j−1, z, z′ ∈ Z_n and generates a ESF-2 TUK_IBE,h.
i_c = h_c: chooses random values y₁, ⋯, y_j−1, λ₁, ⋯, λ_j−1, r₁, ⋯, r_j−1 ∈ Z_n. forms the challenge key as: where (T₀, T₁, T₂, T₃) is the challenge IBE key queried to who chooses a random y₀ ∈ Z_N and returns (T₀, T₁, T₂, T₃) = to .
i_c > h_c: It simply generates a normal HIBE private key.

As in the previous lemma, this implicitly sets g_r₀ to be the G_p₁ part of T in the challenge IBE key. We note that a₀, b₀ modulo p₂, p₃ are uniformly random and do not appear elsewhere. Thus, when T ∈ G_p₁p₃, these last two terms will have random elements of G_p₃ attached (matching the distribution of O_5/2) and then is playing Game E_{h_c,1}. And when T ∈ G, these last two terms will have random elements in both G_p₃ and G_p₂ attached (matching the distribution of O₃) and then is playing Game E_{h_c,2}.

Hence, if a PPT attacker can distinguish between E_{h_c,1} and E_{h_c,2} with non-negligible advantage, can distinguish between O_5/2 and O₃ with non-negligible advantage. It means can gain a non-negligible advantage against Assumption 4.

Thus, Under Assumptions 4, no PPT attacker can distinguish between O_5/2 and O₃ with non-negligible advantage. Thus, no PPT attacker can distinguish between E_{h_c,1} and E_{h_c,2} with non-negligible advantage.

Lemma 8 Under Assumptions 3, no PPT attacker can distinguish between O₃ and O_3.1 with non-negligible advantage. So no PPT attacker can distinguish between F_{h_c−1} and F_{h_c} with non-negligible advantage.

Proof We assume interacts with one of O₃, O_3.1. receives g, g₂, X₁ X₃, Y₁ Y₃, T. will simulate either O₀ or O_1/2 with , depending on the value of T (which is either in G_p₁ or G_{p₁ p₃}). picks values a, b, c, d, a₀, b₀, c₀, d₀ ∈ Z_N uniformly at random and sets u = g^a, h = g^b, v = g^c, w = g^d, , , , . initially obtains the group elements in Eq 82 from its oracle simulator who additionally chooses randomly. chooses α ∈ Z_n randomly, and gives the following public parameters in Eq 83. We note that knows the master secret key α.

When requests the challenge ciphertext for messages M₀, M₁, identity vector and T*, makes a ciphertext-type query to the oracle for each and T*. When makes a ciphertext-type query for some identity I*, responds by choosing a random t ∈ Z_N and returning to . When makes a ciphertext-type query for some time T*, responds by choosing a random t₀ ∈ Z_N and returning to . Then creats the ESF-1 ciphertexts successfully.

Upon receiving a challenge IBE-key-type query for T ∈ Z_n, chooses r₁, r₂, r′, y″ ∈ Z_n randomly and returns the group elements to . And then creats the ESF-2 update key by using the group elements.

When creats the HIBE private key with the index pair (h, i_c) for some identity vector (I₁, ⋯, I_j) in the index h node, the HIBE private key with an index pair (h, i_c) is generated as follows:

i_c < h_c: It randomly chooses , and generates a ESF-3-SK PSK_HIBE,h.
It implicitly sets to be and to be and that is a properly distribution ESF-3-SK.
i_c = h_c: chooses random values y₁, ⋯, y_j−1, λ₁, ⋯, λ_j−1, r₁, ⋯, r_j−1 ∈ Z_n. forms the challenge key as: where (T₀, T₁, T₂, T₃) is the challenge HIBE key queried to who chooses a random r, r₁, r₂ ∈ Z_N and returns (T₀, T₁, T₂, T₃) = to .
i_c > h_c: It randomly chooses y₁, ⋯, y_j, and generates a ESF-2-SK PSK_HIBE,h.
It implicitly sets to be and that is a properly distribution ESF-2-SK.

In the challenge HIBE key, it implicitly sets g^y′ to be the G_p₁ part of T. If T ∈ G_p₁, then this matches the distribution of O₃ (since there are no G_p₃ terms here), and so this will be a properly distributed normal key and is playing Game F_{h_c−1}. If T ∈ G_p₁p₃, then this matches the distribution of O_3.1 (note that a, b modulo p₂ are uniformly random and do not occur elsewhere- so there are random G_p₃ terms attached to the last two group elements) and then is playing Game F_{h_c}.

Hence, if a PPT attacker can distinguish between F_{h_c−1} and F_{h_c} with non-negligible advantage, can distinguish between O₃ and O_3.1 with non-negligible advantage. It means can gain a non-negligible advantage against Assumption 3.

Thus, Under Assumptions 3, no PPT attacker can distinguish between O₃ and O_3.1 with non-negligible advantage. Thus, no PPT attacker can distinguish between F_{h_c−1} and F_{h_c} with non-negligible advantage.

Lemma 9 Under Assumptions 3, no PPT attacker can distinguish between O_3.1 and O_3.2 with non-negligible advantage. So no PPT attacker can distinguish between F1_{h_c−1} and F1_{h_c} with non-negligible advantage.

Proof The proof of this lemma is almost the same as that of Lemma 8 except the generation of secret keys and update keys.

Upon receiving a challenge HIBE-key-type query for I ∈ Z_n, chooses r₁, r₂, r′, y″ ∈ Z_n randomly and returns the group elements to . And then creats the ESF-3 update key by using the group elements.

When creats the IBE private key with the index pair (h, i_c) for some identity vector (I₁, ⋯, I_j−1) and the time T in the index h node, the IBE private key with an index pair (h, i_c) is generated as follows:

i_c < h_c: It randomly chooses , and generates a ESF-3-UK EUK_IBE,h.
It implicitly sets to be and to be and that is a properly distribution ESF-3-UK.
i_c = h_c: chooses random values y₁, ⋯, y_j−1, λ₁, ⋯, λ_j−1, r₁, ⋯, r_j−1 ∈ Z_n. forms the challenge key as: where (T₀, T₁, T₂, T₃) is the challenge IBE key queried to who chooses a random r, r₁, r₂ ∈ Z_N and returns (T₀, T₁, T₂, T₃) = to .
i_c > h_c: It randomly chooses y₁, ⋯, y_j, and generates a ESF-2-UK EUK_IBE,h.
It implicitly sets to be and that is a properly distribution ESF-2-UK.

In the challenge IBE key, it implicitly sets g^y′ to be the G_p₁ part of T. If T ∈ G_p₁, then this matches the distribution of O_3.1 (since there are no G_p₃ terms here), and so this will be a properly distributed normal key and is playing Game F1_{h_c−1}. If T ∈ G_p₁p₃, then this matches the distribution of O_3.2 (note that a, b modulo p₂ are uniformly random and do not occur elsewhere- so there are random G_p₃ terms attached to the last two group elements) and then is playing Game F1_{h_c}.

Hence, if a PPT attacker can distinguish between F1_{h_c−1} and F1_{h_c} with non-negligible advantage, can distinguish between O_3.1 and O_3.2 with non-negligible advantage. It means can gain a non-negligible advantage against Assumption 3.

Thus, Under Assumptions 3, no PPT attacker can distinguish between O_3.1 and O_3.2 with non-negligible advantage. Thus, no PPT attacker can distinguish between F1_{h_c−1} and F1_{h_c} with non-negligible advantage.

Lemma 10 Under Assumptions 4, no PPT attacker can distinguish between O_3.2 and O_3.3 with non-negligible advantage. So no PPT attacker can distinguish between G_ESF′−2 and G_ESF′−3 with non-negligible advantage.

Proof We assume interacts with one of O_3.2, O_3.3. receives g, g₂, X₁ X₃, Y₂ Y₃, T. will simulate either O_3.2 or O_3.3 with , depending on the value of T (which is either in G or G_p₁p₂). picks values a, b, c, d, a₀, b₀, c₀, d₀ ∈ Z_N uniformly at random and sets u = g^a, h = g^b, v = g^c, w = g^d, , , , . It chooses random values σ₁, σ₂, y, y′, t₃, z ∈ Z_N and then initially obtains the group elements (86)

We note that this sets ψ₁ = d modulo p₂ and p₃. It implicitly sets g^s to be the G_p₁ part of T. If T ∈ G_p₁p₂, this is distributed identically to the initial elements provided by O_3.2. If T ∈ G, this is distributed identically to the initial elements provided by O_3.3.

Upon receiving a challenge IBE-key-type query for T ∈ Z_n, chooses r₁, r₂, r′, y″ ∈ Z_n randomly and returns the group elements to . And then creats the ESF-2 update key by using the group elements.

When creats the HIBE private key with the index pair (h, i_c) for some identity vector (I₁, ⋯, I_j) in the index h node, the HIBE private key with an index pair (h, i_c) is generated as follows:

When requests the challenge ciphertext for messages M₀, M₁, identity vector and T*, makes a ciphertext-type query to the oracle for each and T*. When makes a ciphertext-type query for some identity I*, responds by choosing a random t ∈ Z_N and returning to . When makes a ciphertext-type query for some time T*, responds by choosing a random t₀ ∈ Z_N and returning to . Then creats the ESF-1 ciphertexts successfully.

Lemma 11 Under Assumptions 4, no PPT attacker can distinguish between O_3.3 and O_3.4 with non-negligible advantage. So no PPT attacker can distinguish between G_ESF′−3 and G_ESF′−4 with non-negligible advantage.

Proof We assume interacts with one of O_3.3, O_3.4. receives g, g₃, X₁ X₂, Y₂ Y₃, T. will simulate either O_3.3 or O_3.4 with , depending on the value of T (which is either in G or G_{p₁ p₃}). picks values a, b, c, d, a₀, b₀, c₀, d₀ ∈ Z_N uniformly at random and sets u = g^a, h = g^b, v = g^c, w = g^d, , , , . initially obtains the group elements (87) from its oracle simulator who additionally chooses s, γ, y, y′, z ∈ Z_N randomly. We note that this is properly distributed and set ψ₁ = d modulo p₂ and p₃, ψ₂ = d₀ modulo p₂ and p₃ and σ₁ = c modulo p₂ and p₃, σ₂ = c₀ modulo p₂ and p₃.

When requests the challenge ciphertext for messages M₀, M₁, identity vector and T*, makes a ciphertext-type query to the oracle for each and T*. When makes a ciphertext-type query for some identity I*, responds by choosing a random t ∈ Z_N and returning to . When makes a ciphertext-type query for some time T*, responds by choosing a random t₀ ∈ Z_N and returning to . This implicitly sets . It also sets a′ = a and b′ = b modulo p₂ or a′ = a₀ and b′ = b₀ modulo p₂,

which are properly distributed because a, b modulo p₂ and a₀, b₀ modulo p₂ do not appear elsewhere. Then creats the ESF-5 ciphertexts successfully.

Upon receiving a challenge IBE-key-type query for T ∈ Z_n, chooses r, y′, z ∈ Z_n randomly and returns the group elements to . And then creats the ESF-3 update key by using the group elements.

When creats the HIBE private key with the index pair (h, i_c) for some identity vector (I₁, ⋯, I_j) in the index h node, the HIBE private key with an index pair (h, i_c) is generated as follows:

i_c < h_c: It randomly chooses y₁, ⋯, y_j, λ₁, ⋯, λ_j−1, r₁, ⋯, r_j, z, z′ ∈ Z_n and generates a ESF-4-SK PSK_HIBE,h.
That is a properly distribution ESF-4-SK.
i_c = h_c: chooses random values y₁, ⋯, y_j−1, λ₁, ⋯, λ_j−1, r₁, ⋯, r_j−1 ∈ Z_n. forms the challenge key as: where (T₀, T₁, T₂, T₃) is the challenge HIBE key queried to who chooses a random r, r₁, r₂ ∈ Z_N and returns (T₀, T₁, T₂, T₃) = to .
i_c > h_c: It randomly chooses y₁, ⋯, y_j, λ₁, ⋯, λ_j−1, r₁, ⋯, r_j, z, z′ ∈ Z_n and generates a ESF-3-SK PSK_HIBE,h.
That is a properly distribution ESF-3-SK.

In the challenge HIBE key, it implicitly sets g^y′ to be the G_p₁ part of T. If T ∈ G_p₂p₃, then this matches the distribution of O_3.3, and so this will be a properly distributed normal key and is playing Game F3_{h_c−1}. If T ∈ G, then this matches the distribution of O_3.4 and then is playing Game F3_{h_c}.

Hence, if a PPT attacker can distinguish between F3_{h_c−1} and F3_{h_c} with non-negligible advantage, can distinguish between O_3.3 and O_3.4 with non-negligible advantage. It means can gain a non-negligible advantage against Assumption 4.

Thus, Under Assumptions 4, no PPT attacker can distinguish between O_3.3 and O_3.4 with non-negligible advantage. Thus, no PPT attacker can distinguish between F3_{h_c−1} and F3_{h_c} with non-negligible advantage.

Lemma 12 Under Assumptions 4, no PPT attacker can distinguish between O_3.4 and O_3.5 with non-negligible advantage. So no PPT attacker can distinguish between G_ESF′−4 and G_ESF′−5 with non-negligible advantage.

Proof The proof of this lemma is almost the same as that of Lemma 11 except the generation of secret keys and update leys.

Upon receiving a challenge HIBE-key-type query for I ∈ Z_n, chooses r, y′, z, z′ ∈ Z_n randomly and returns the group elements to . And then creats the ESF-4 secret key by using the group elements.

When creats the IBE private key with the index pair (h, i_c) for some time for the identity vector (I₁, ⋯, I_j−1) in the index h node, the update key with an index pair (h, i_c) is generated as follows:

i_c < h_c: It randomly chooses y₁, ⋯, y_j, λ₁, ⋯, λ_j−1, r₀, ⋯, r_j−1, z, z′ ∈ Z_n and generates a ESF-4-UK TUK_IBE,h.
That is a properly distribution ESF-4-UK.
i_c = h_c: chooses random values y₁, ⋯, y_j−1, λ₁, ⋯, λ_j−1, r₁, ⋯, r_j−1 ∈ Z_n. forms the challenge key as: where (T₀, T₁, T₂, T₃) is the challenge IBE key queried to who chooses a random r, r₁, r₂ ∈ Z_N and returns (T₀, T₁, T₂, T₃) = to .
i_c > h_c: It randomly chooses y₀, y₁, ⋯, y_j−1, λ₁, ⋯, λ_j−1, r₁, ⋯, r_j, z, z′ ∈ Z_n and generates a ESF-3-UK TUK_IBE,h.
That is a properly distribution ESF-3-UK.

In the challenge IBE key, it implicitly sets g^y′ to be the G_p₁ part of T. If T ∈ G_{p₂ p₃}, then this matches the distribution of O_3.4, and so this will be a properly distributed normal key and is playing Game F4_{h_c−1}. If T ∈ G, then this matches the distribution of O_3.5 and then is playing Game F4_{h_c}.

Hence, if a PPT attacker can distinguish between F4_{h_c−1} and F4_{h_c} with non-negligible advantage, can distinguish between O_3.4 and O_3.5 with non-negligible advantage. It means can gain a non-negligible advantage against Assumption 4.

Thus, Under Assumptions 4, no PPT attacker can distinguish between O_3.4 and O_3.5 with non-negligible advantage. Thus, no PPT attacker can distinguish between F4_{h_c−1} and F4_{h_c} with non-negligible advantage.

Lemma 13 Under Assumptions 4, no PPT attacker can distinguish between O_3.5 and O_3.6 with non-negligible advantage. So no PPT attacker can distinguish between G_ESF′−5 and G_ESF′−6 with non-negligible advantage.

Proof We assume interacts with one of O_3.5, O_3.6. receives g, g₂, X₁ X₃, Y₂ Y₃, T. will simulate either O_3.5 or O_3.6 with , depending on the value of T (which is either in G or G_p₁p₂). picks values a, b, c, d, a₀, b₀, c₀, d₀ ∈ Z_N uniformly at random and sets u = g^a, h = g^b, v = g^c, w = g^d, , , , . initially obtains the group elements (88) from its oracle simulator where z, y₀, y, σ₁, σ₂ ∈ Z_p are randomly chosen. We note that this set ψ = d modulo p₂ and p₃. If T ∈ G_p₁p₂, then this matches the initial elements provided by O_3.6. If T ∈ G, then this matches the initial elements provided by O_3.5. It chooses α ∈ Z_n randomly, and gives the following public parameters in Eq 83. We note that knows the master secret key α. When requests a normal update key or a normal decryption key, can responds by using the usual key generation algorithm, since it knows α.

When makes a secret key query for the identity ID|_j = (I₁, ⋯, I_j), then makes its challenge HIBE-key-type query for I_j, responds as follows. It chooses y′, r, r₁, r₂ ∈ Z_N randomly and responds with:

And then creats the ESF-4 secret key by using the group elements.

Upon receiving a challenge IBE-key-type query for T ∈ Z_n, chooses y′, r, r₁, r₂ ∈ Z_N randomly and responds with: to . And then creats the ESF-4 update key by using the group elements.

When requests the challenge ciphertext for messages M₀, M₁, identity vector and T*, makes a ciphertext-type query to the oracle for each and T*. In response to each query for or T*, gets random t₀, t₁, …, t_l ∈ Z_p, chooses β ∈ {0, 1} and creats the ciphertext as where the ciphertext-element-group (C_i,1, C_i,2, C_i,3) is defined as follows if i > 0: and (C_0,1, C_0,2, C_0,3) is defined as follows

We note that this is very similar to the way behaves in the proof of Lemma 12. The only difference is the terms which have been added to the challenge key. As in the proof of Lemma 12, we have that if T ∈ G, the G_p₃ components of the challenge ciphertext are properly distributed as in a response from O_3.5, since the value of c modulo p₃ is not revealed by the challenge key-type response (it is hidden by the random term ). Also as in the proof of Lemma 12, we have that the G_p₂ components of the ciphertext-type responses are properly distributed. Thus, if T ∈ G_p₁p₂, has properly simulated the responses of O_3.6, and when T ∈ G, has properly simulated the responses of O_3.6.

Hence, if a PPT attacker can distinguish any pair between G_ESF′−5 and G_ESF′−6 with non-negligible advantage, can distinguish the corresponding pair between O_3.5 and O_3.6 with non-negligible advantage. It means can use the output of to achieve a non-negligible advantage against Assumption 4.

Thus, Under Assumptions 4, no PPT attacker can distinguish between O_3.5 and O_3.6 with non-negligible advantage. Thus, no PPT attacker can distinguish between G_ESF′−5 and G_ESF′−6 with non-negligible advantage.

Lemma 14 Under Assumptions 4, no PPT attacker can distinguish between O_3.6 and O_7/2′ with non-negligible advantage. So no PPT attacker can distinguish between F6_i−1,2 and F6_i,1 with non-negligible advantage.

Proof We assume interacts with one of O_3.6 and O_7/2′. receives g, g₃, X₁ X₂, Y₂ Y₃, T. will simulate either O_3.6 and O_7/2′ with , depending on the value of T (which is either in G or G_{p₁ p₃}). picks values a, b, c, d, a₀, b₀, c₀, d₀ ∈ Z_N uniformly at random and sets u = g^a, h = g^b, v = g^c, w = g^d, , , , . initially obtains the group elements (89) from its oracle simulator who additionally chooses ψ₁, ψ₂, σ₁, σ₂, y, y′ ∈ Z_N randomly. These are properly distributed with g^s implicitly set to be X₁.

When requests the challenge ciphertext for messages M₀, M₁, identity vector and T*, makes a ciphertext-type query to the oracle for each and T*. When makes a ciphertext-type query for some identity , responds by choosing a random and returning to . When makes a ciphertext-type query for some time T*, responds by choosing a random t₀ ∈ Z_N and returning to . This sets and , which is uniformly random because the value of d and d₀ modulo p₂ will not appear elsewhere. It implicitly sets . This is identically distributed to a response from O₆ and O_7/2′, with a′, b′ equal to a, b modulo p₂, and σ₁ = c modulo p₂, σ₂ = c₀ modulo p₂. We note that this is in the only context in which the values of a, b modulo p₂ appear, so this is equivalent to choosing a′, b′ independently at random. Then creats the ESF-1 ciphertexts successfully.

When requests the secret key of an identity vector ID|_j = (I₁, ⋯, I_j), creats the ESF-4-SK key by the HIBE-type query responses from who randomly chooses y₁, ⋯, y_j, λ₁, ⋯, λ_j−1, r₁, ⋯, r_j, z, z′ ∈ Z_n and generates a ESF-4-SK PSK_{HIBE,h_θ} for every θ

When creats the IBE private key with the index pair (h, i_c) for some time for the identity vector (I₁, ⋯, I_j−1) in the index h node, the update key with an index pair (h, i_c) is generated as follows:

i_c < h_c: It randomly chooses y₀, ⋯, y_j−1, λ₁, ⋯, λ_j−1, , z, z′ ∈Z_n and generates a semi-functional update key TUK_{ID|_l,T,θ_h}.
i_c = h_c: chooses random values y₁, ⋯, y_j−1, λ₁, ⋯, λ_j−1, r₁, ⋯, r_j−1 ∈ Z_n. forms the challenge key as: where (T₀, T₁, T₂, T₃) is the challenge IBE key queried to who chooses a random y₀ ∈ Z_N and returns (T₀, T₁, T₂, T₃) = to .
i_c > h_c: It generates a ESF-4-UK as where z, z′ ∈ Z_p are randomly chosen.

In the challenge IBE key, it implicitly sets g^r to be the G_p₁ part of T. We note that a₀, b₀ modulo p₂,p₃ are uniformly random and do not appear elsewhere. If T ∈ G_p₁p₃, then this matches the distribution of O₆, and so this will be a properly distributed normal key and is playing Game F6_{h_c−1,2}. If T ∈ G, then this matches the distribution of O_7/2′ (note random G_p₃ terms attached to the last two group elements) and then is playing Game F6_{h_c,1}.

Hence, if a PPT attacker can distinguish between F6_{h_c−1,2} and F6_{h_c,1} with non-negligible advantage, can distinguish between O₆ and O_7/2′ with non-negligible advantage. It means can gain a non-negligible advantage against Assumption 4.

Thus, Under Assumptions 4, no PPT attacker can distinguish between O₆ and O_7/2′ with non-negligible advantage. Thus, no PPT attacker can distinguish between F6_{h_c−1,2} and F6_{h_c,1} with non-negligible advantage.

Lemma 15 Under Assumptions 3, no PPT attacker can distinguish between O_7/2′ and with non-negligible advantage. So no PPT attacker can distinguish between F6_i,1 and F6_i,2 with non-negligible advantage.

Proof We assume interacts with one of O_7/2′, and . receives g, g₂, X₁ X₃, T. will simulate either O_7/2′ or with , depending on the value of T (which is either in G_p₁ or G_p₁p₃). picks values a, b, c, d, a₀, b₀, c₀, d₀ ∈ Z_N uniformly at random and sets u = g^a, h = g^b, v = g^c, w = g^d, , , , . initially obtains the group elements (90) from its oracle simulator, and gives the public parameters in Eq 83.

When requests the challenge ciphertext for messages M₀, M₁, identity vector and T*, makes a ciphertext-type query to the oracle for each and T*. When makes a ciphertext-type query for some identity I*, responds by choosing a random t ∈ Z_N and returning to as same as Eq 10. When makes a ciphertext-type query for some time T*, responds by choosing a random t₀ ∈ Z_N and returning to . Then creats the ESF-1 ciphertexts successfully.

When requests the secret key of an identity vector ID|_j = (I₁, ⋯, I_j), creats the ESF-4-SK key by the HIBE-type query response from and the secret key for ID|_j in some node θ is where , are randomly chosen.

When creats the IBE private key with the index pair (h, i_c) for some time for the identity vector (I₁, ⋯, I_j−1) in the index h node, the update key with an index pair (h, i_c) is generated as follows:

i_c < h_c: It randomly chooses , λ₁, ⋯, λ_j−1, r₀, r₁, ⋯, r_j−1, z, z′ ∈Z_n and generates a semi-functional update key TUK_{ID|_l,T,θ_h}
i_c = h_c: chooses random values y₁, ⋯, y_j−1, λ₁, ⋯, λ_j−1, r₁, ⋯, r_j−1 ∈ Z_n. forms the challenge key as: where (T₀, T₁, T₂, T₃) is the challenge IBE key queried to who chooses a random y₀ ∈ Z_N and returns (T₀, T₁, T₂, T₃) = T). This implicitly sets g^r to be the G_p₁ part of T.
i_c > h_c: It generates a ESF-4-UK as where z, z′ ∈ Z_p are randomly chosen.

In the challenge IBE key, it implicitly sets to be the G_p₁ part of T. We note that a₀, b₀ modulo p₂,p₃ are uniformly random and do not appear elsewhere. If T ∈ G_p₁p₃, then this matches the distribution of O_7/2′, and so this will be a properly distributed normal key and is playing Game F6_{h_c,1}. If T ∈ G_p₁, then this matches the distribution of and then is playing Game F6_{h_c,2}.

Hence, if a PPT attacker can distinguish between F6_{h_c,1} and F6_{h_c,2} with non-negligible advantage, can distinguish between O_7/2′ and with non-negligible advantage. It means can gain a non-negligible advantage against Assumption 3.

Thus, Under Assumptions 3, no PPT attacker can distinguish between O_7/2′ and with non-negligible advantage. Thus, no PPT attacker can distinguish between F6_{h_c,1} and F6_{h_c,2} with non-negligible advantage.

Lemma 16 Under Assumptions 3, no PPT attacker can distinguish between and with non-negligible advantage. So no PPT attacker can distinguish between and with non-negligible advantage.

Proof We assume interacts with one of . receives g, g₂, X₁ X₃, T. will simulate either or with , depending on the value of T (which is either in G_p₁ or G_{p₁ p₃}). initially obtains the group elements in Eq 82 from its oracle simulator.

When requests the secret key of an identity vector ID|_j = (I₁, ⋯, I_j), creats the ESF-4-SK key by the HIBE-type query response from and the secret key for ID|_j in some node θ is where , are randomly chosen.

When requests the update key of an identity vector ID|_j = (I₁, ⋯, I_j) and the ime T, creats the UK key by the IBE-type query response from and the secret key for ID|_j in some node θ is generated as follows: randomly chooses , λ₁, ⋯, λ_j−1, r₀, r₁, ⋯, r_j−1, z, z′ ∈Z_n and generates a semi-functional update key TUK_{ID|_l,T,θ_h}

When requests the challenge ciphertext for messages M₀, M₁, identity vector and T*, makes a ciphertext-type query to the oracle for each and T*. In response to each query for or T*, gets random t₀, t₁, …, t_l ∈ Z_p, chooses β ∈ {0, 1} and creats the ciphertext as where the ciphertext-element-group (C_i,1, C_i,2, C_i,3) is defined as follows:

i < k: If i = 0, responds with the ciphertext-element-group , else the element group is . This is identically distributed to a response from O₂.
i = k: choses z ∈ Z_p randomly and responds with the ciphertext-element-group (T₁, T₃, T₂) = if k > 0. Else if k = 0, responds with . We note that the G_p₂ parts here are properly distributed, since σ₁ = c modulo p₂ and σ₂ = c₀ modulo p₂.
i > k: The ciphertext-element-group is . This is identically distributed to a response from O₁.

When T ∈ G_p₁ the values of a, b modulo p₃ only appear in the response to the challenge key-type query, which means that the G_p₃ terms on the last two group elements there are uniformly random. Also, the response to the k^th ciphertext-type query is distributed exactly like a response from O₂. In this case, has properly simulated the responses of and this will be a properly distributed EST-2^k-CT and so is playing Game .

When T ∈ G_p₁p₃, we must argue that the values aI + b and appear uniformly random modulo p₃: this follows by pairwise independence of aI + b as a function of I modulo p₃, since we have restricted the Type-1 adversary to choose I and so that modulo p₃ and a, b modulo p₃ only appear in these two values. Hence, has produced a properly distributed EST-4^k-CT and has properly simulated the response of in this case. So is playing Game . We have thus shown that can use the output of to achieve non-negligible advantage against Assumption 3.

Hence, if a PPT attacker can distinguish any pair between and with non-negligible advantage, can distinguish the corresponding pair between and with non-negligible advantage. It means can use the output of to achieve a non-negligible advantage against Assumption 3.

Thus, Under Assumptions 3, no PPT attacker can distinguish between and with non-negligible advantage. Thus, no PPT attacker can distinguish between and with non-negligible advantage.

Lemma 17 Under Assumptions 4, no PPT attacker can distinguish between and with non-negligible advantage. So no PPT attacker can distinguish between and with non-negligible advantage.

Proof We assume interacts with one of . receives g, g₃, X₁ X₂, Y₂ Y₃, T. will simulate either or with , depending on the value of T (which is either in G or G_{p₁ p₃}). picks values a, b, c, d, a₀, b₀, c₀, d₀ ∈ Z_N uniformly at random and sets u = g^a, h = g^b, v = g^c, w = g^d, , , , . initially obtains the group elements in Eq 85 from its oracle simulator where z, y₀, y, ψ ∈ Z_p are randomly chosen.

When makes a secret key query for the identity ID|_j = (I₁, ⋯, I_j), then makes its challenge HIBE-key-type query for I_j, chooses r, y′, z, z′ ∈ Z_n randomly and returns the group elements to . And then creats the ESF-4 secret key by using the group elements.

Upon receiving a challenge IBE-key-type query for T ∈ Z_n, chooses r₀, y₀ ∈ Z_n randomly and returns the group elements to . And then creats the semi-functional update key by using the group elements.

When requests the challenge ciphertext for messages M₀, M₁, identity vector and T*, makes a ciphertext-type query to the oracle for each and T*. In response to each query for or T*, gets random , chooses β ∈ {0, 1} and creats the ciphertext as where the ciphertext-element-group (C_i,1, C_i,2, C_i,3) is defined as follows:

i < k: If i = 0, the ciphertext-element-group is else the ciphertext-element-group is
This sets and , which is uniformly random because the value of d and d₀ modulo p₂ will not appear elsewhere. It implicitly sets . This is identically distributed to a response from O₂, with a′, b′ equal to a, b modulo p₂, and σ₁ = c modulo p₂, σ₂ = c₀ modulo p₂. We note that this is in the only context in which the values of a, b modulo p₂ appear, so this is equivalent to choosing a′, b′ independently at random.
i = k: If k = 0, the ciphertext-element-group is (T₁, T₃, T₂) = ; If k > 0, the ciphertext-element-group is (T₁, T₃, T₂) = ;
i > k: The ciphertext-element-group is .

If T ∈ G_p₁p₃, then the response for ciphertext-type query i is identically distributed to a response from .

In this case, has produced a properly distributed EST-3^k-CT and is playing Game .

If T ∈ G, then this response additionally has terms in G_p₂ which are appropriately distributed with c = σ₁, a = a′, b = b′ modulo p₂ or c₀ = σ₂.a₀ = a′, b₀ = b′ modulo p₂. Thus, the response is identically distributed to a response from . In this case, has produced a properly distributed EST-4^k-CT and is playing Game .

Hence, if a PPT attacker can distinguish any pair between and with non-negligible advantage, can distinguish the corresponding pair between and with non-negligible advantage. It means can use the output of to achieve a non-negligible advantage against Assumption 4.

Thus, Under Assumptions 4, no PPT attacker can distinguish between and with non-negligible advantage. Thus, no PPT attacker can distinguish between and with non-negligible advantage.

Lemma 18 Under Assumptions 3, no PPT attacker can distinguish between and with non-negligible advantage. So no PPT attacker can distinguish between and with non-negligible advantage.

Proof We assume interacts with one of . receives g, g₂, X₁ X₃, Y₁ Y₃, T. will simulate either or with , depending on the value of T (which is either in G_p₁ or G_{p₁ p₃}). initially obtains the group elements in Eq 82 from its oracle simulator. It chooses α ∈ Z_n randomly, and gives the public parameters in Eq 83. B can responds by using the normal update key generation and the normal decryption key derivation algorithm, since it knows α.

When requests the secret key of an identity vector ID|_j = (I₁, ⋯, I_j), creats the ESF-4-SK key by the HIBE-type query response from and the secret key for ID|_j in some node θ is where , are randomly chosen.

When requests the update key of an identity vector ID|_j = (I₁, ⋯, I_j) and the ime T, creats the UK key by the IBE-type query response from and the secret key for ID|_j in some node θ is generated as follows: randomly chooses , λ₁, ⋯, λ_j−1, r₀, r₁, ⋯, r_j−1, z, z′ ∈Z_n and generates a semi-functional update key TUK_{ID|_l,T,θ_h}

When requests the challenge ciphertext for messages M₀, M₁, identity vector and T*, makes a ciphertext-type query to the oracle for each and T*. In response to each query for or T*, gets random t₀, t₁, …, t_l ∈ Z_p, chooses β ∈ {0, 1} and creats the ciphertext as where the ciphertext-element-group (C_i,1, C_i,2, C_i,3) is defined as follows:

i < k: If i = 0, and responds with the ciphertext-element-group , else the element group is ;
i = k: The ciphertext-element-group is (T₁, T₃, T₂) = ;
i > k: The ciphertext-element-group is .

We must now argue that the challenge key-type query and the k^th ciphertext-type query responses are properly distributed. If T ∈ G_p₁, then the response to the k ciphertext type query is identically distributed to a response from O₁, and the values a, b modulo p₃ only appear in the response to the challenge key-type query, hence the G_p₃ parts on the last two group elements here appear random in G_p₃. This will be a properly distributed EST-2^k−1-CT which means that the responses of properly simulate the responses of and is playing Game .

If T ∈ G_{p₁ p₃}, then we must argue that aI + b and both appear to be uniformly random modulo p₃: this follows from pairwise independence of the function aI + b modulo p₃, since we have restricted the Type-1 adversary to choose I and so that modulo p₃. This means that the G_p₃ components on the last two group elements of the challenge key-type query response and on the k ciphertext-type query response are uniformly random in the attacker’s view. In this case, has produced a properly distributed EST-3^k-CT which means that has properly simulated the responses of and is playing Game .

Hence, if a PPT attacker can distinguish any pair between and with non-negligible advantage, can distinguish the corresponding pair between and with non-negligible advantage. It means can use the output of to achieve a non-negligible advantage against Assumption 3.

Thus, Under Assumptions 3, no PPT attacker can distinguish between and with non-negligible advantage. Thus, no PPT attacker can distinguish between and with non-negligible advantage.

Lemma 19 Under Assumptions 4, no PPT attacker can distinguish between and O_7/2 with non-negligible advantage. So no PPT attacker can distinguish between I_{h_c−1,2} and I_{h_c,1} with non-negligible advantage.

Proof We assume interacts with one of . receives g, g₃, X₁ X₂, Y₂ Y₃, T. will simulate either or O_7/2 with , depending on the value of T (which is either in G or G_p₁p₃). picks values a, b, c, d, a₀, b₀, c₀, d₀ ∈ Z_N uniformly at random and sets u = g^a, h = g^b, v = g^c, w = g^d, , , , . initially obtains the group elements in Eq 89 from its oracle simulator who additionally chooses ψ₁, ψ₂, σ₁, σ₂, y, y′ ∈ Z_N randomly. These are properly distributed with g^s implicitly set to be X₁.

When requests the challenge ciphertext for messages M₀, M₁, identity vector and T*, makes a ciphertext-type query to the oracle for each and T*. When makes a ciphertext-type query for some identity , responds by choosing a random and returning to . When makes a ciphertext-type query for some time T*, responds by choosing a random t₀ ∈ Z_N and returning to . (Note that this implicitly sets and , which is uniformly random because the value of d and d₀ modulo p₂ does not occur elsewhere.) Then creats the semi-functional ciphertexts successfully.

Upon receiving a challenge IBE-key-type query for T ∈ Z_n, chooses r₀, y₀ ∈ Z_n randomly and returns the group elements to . And then creats the semi-functional update key by using the group elements.

When creats the HIBE private key with the index pair (h, i_c) for the identity vector (I₁, ⋯, I_j−1) in the index h node, the secret key with an index pair (h, i_c) is generated as follows:

i_c < h_c: It randomly chooses y₁, ⋯, y_j, λ₁, ⋯, λ_j−1, r₁, ⋯, r_j, z, z′ ∈Z_n and generates a semi-functional secret key TUK_{ID|_l,T,θ_h}.
i_c = h_c: chooses random values y₁, ⋯, y_j−1, λ₁, ⋯, λ_j−1, r₁, ⋯, r_j−1 ∈ Z_n. forms the challenge key as: where (T₀, T₁, T₂, T₃) is the challenge HIBE key queried to who chooses a random y_j ∈ Z_N and returns (T₀, T₁, T₂, T₃) = to .
i_c > h_c: It generates a ESF-4-SK as where z, z′ ∈ Z_p are randomly chosen.

In the challenge HIBE key, it implicitly sets to be the G_p₁ part of T. We note that a, b modulo p₂,p₃ are uniformly random and do not appear elsewhere. If T ∈ G_{p₁ p₃}, then this matches the distribution of , and so this will be a properly distributed ESF-4-SK key and is playing Game I_{h_c−1,2}. If T ∈ G, then this matches the distribution of O_7/2 (note random G_p₃ terms attached to the last two group elements) and then is playing Game I_{h_c,1}.

Hence, if a PPT attacker can distinguish between I_{h_c−1,2} and I_{h_c,1} with non-negligible advantage, can distinguish between and O_7/2 with non-negligible advantage. It means can gain a non-negligible advantage against Assumption 4.

Thus, Under Assumptions 4, no PPT attacker can distinguish between and O_7/2 with non-negligible advantage. Thus, no PPT attacker can distinguish between I_{h_c−1,2} and I_{h_c,1} with non-negligible advantage.

Lemma 20 Under Assumptions 3, no PPT attacker can distinguish between O_7/2 and O₄ with non-negligible advantage. So no PPT attacker can distinguish between I_{h_c,1} and I_{h_c,2} with non-negligible advantage.

Proof We assume interacts with one of O_7/2, and O₄. receives g, g₂, X₁ X₃, T. will simulate either O_7/2 or O₄ with , depending on the value of T (which is either in G_p₁ or G_{p₁ p₃}). picks values a, b, c, d, a₀, b₀, c₀, d₀ ∈ Z_N uniformly at random and sets u = g^a, h = g^b, v = g^c, w = g^d, , , , . initially obtains the group elements in Eq 90 from its oracle simulator, and gives the public parameters in Eq 83.

When requests the challenge ciphertext for messages M₀, M₁, identity vector and T*, makes a ciphertext-type query to the oracle for each and T*. When makes a ciphertext-type query for some identity I*, responds by choosing a random t ∈ Z_N and returning to . When makes a ciphertext-type query for some time T*, responds by choosing a random t₀ ∈ Z_N and returning to . Then creats the semi-functional ciphertexts successfully.

Upon receiving a challenge IBE-key-type query for T ∈ Z_n, chooses randomly and returns the group elements to . And then creats the semi-functional update key by using the group elements.

When creats the HIBE private key with the index pair (h, i_c) for the identity vector (I₁, ⋯, I_j−1) in the index h node, the secret key with an index pair (h, i_c) is generated as follows:

i_c < h_c: It randomly chooses , λ₁, ⋯, λ_j−1, r₁, ⋯, r_j, z, z′ ∈Z_n and generates a semi-functional secret key PSK_{ID|_j,θ_h}
i_c = h_c: chooses random values y₁, ⋯, y_j−1, λ₁, ⋯, λ_j−1, r₁, ⋯, r_j−1 ∈ Z_n. forms the challenge key as: where (T₀, T₁, T₂, T₃) is the challenge HIBE key queried to who chooses a random and returns (T₀, T₁, T₂, T₃) = T). This implicitly sets to be the G_p₁ part of T.
i_c > h_c: It generates a ESF-4-SK as where z, z′ ∈ Z_p are randomly chosen.

In the challenge HIBE key, it implicitly sets to be the G_p₁ part of T. We note that a, b modulo p₂,p₃ are uniformly random and do not appear elsewhere. If T ∈ G_{p₁ p₃}, then this matches the distribution of O_7/2, and so this will be a properly distributed normal key and is playing Game I_{h_c,1}. If T ∈ G_p₁, then this matches the distribution of O₄ and then is playing Game I_{h_c,2}.

Hence, if a PPT attacker can distinguish between I_{h_c,1} and I_{h_c,2} with non-negligible advantage, can distinguish between O_7/2 and O₄ with non-negligible advantage. It means can gain a non-negligible advantage against Assumption 3.

Thus, Under Assumptions 3, no PPT attacker can distinguish between O_7/2 and O₄ with non-negligible advantage. Thus, no PPT attacker can distinguish between I_{h_c,1} and I_{h_c,2} with non-negligible advantage.

Acknowledgments

This research is supported by the project of the National Basic Research and Development Program of China (973 Program) No. 2012CB315906 and the National Key Research and Development Program 2017YFB0802301.

References

1. Seo JH, Emura K. Efficient Delegation of Key Generation and Revocation Functionalities in Identity-Based Encryption. In: CT-RSA. vol. 7779. Springer; 2013. p. 343–358.
2. Horwitz J, Lynn B. Toward hierarchical identity-based encryption. In: Advances in Cryptology-EUROCRYPT 2002. Springer; 2002. p. 466–481.
3. Seo JH, Emura K. Revocable hierarchical identity-based encryption: history-free update, security against insiders, and short ciphertexts. In: Cryptographers Track at the RSA Conference. Springer; 2015. p. 106–123.
4. Tsai TT, Tseng YM, Wu TY. RHIBE: constructing revocable hierarchical ID-based encryption from HIBE. Informatica. 2014;25(2):299–326.
- View Article
- Google Scholar
5. Lee K. Revocable Hierarchical Identity-Based Encryption with Adaptive Security. IACR Cryptology ePrint Archive. 2016;2016:749.
- View Article
- Google Scholar
6. Seo JH, Emura K. Adaptive-ID secure revocable hierarchical identity-based encryption. In: International Workshop on Security. Springer; 2015. p. 21–38.
7. Ryu G, Lee K, Park S, Lee DH. Unbounded hierarchical identity-based encryption with efficient revocation. In: International Workshop on Information Security Applications. Springer; 2015. p. 122–133.
8. Rouselakis Y, Waters B. Practical constructions and new proof methods for large universe attribute-based encryption. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM; 2013. p. 463–474.
9. Xing Q, Wang B, Wang X, Chen P, Yu B, Tang Y, et al. Unbounded Revocable Hierarchical Identity-Based Encryption with Adaptive-ID Security. In: High Performance Computing and Communications; IEEE 14th International Conference on Smart City; IEEE 2nd International Conference on Data Science and Systems (HPCC/SmartCity/DSS), 2016 IEEE 18th International Conference on. IEEE; 2016. p. 430–437.
10. Waters B, et al. Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions. In: Crypto. vol. 5677. Springer; 2009. p. 619–636.
11. Lewko AB, Waters B. New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts. In: TCC. vol. 5978. Springer; 2010. p. 455–479.
12. Lewko AB, Waters B. Unbounded HIBE and Attribute-Based Encryption. In: Eurocrypt. vol. 6632. Springer; 2011. p. 547–567.
13. Lee K, Park S. Revocable Hierarchical Identity-Based Encryption with Shorter Private Keys and Update Keys. IACR Cryptology ePrint Archive. 2016;2016:460.
- View Article
- Google Scholar
14. Seo JH, Emura K. Revocable identity-based cryptosystem revisited: Security models and constructions. IEEE Transactions on Information Forensics and Security. 2014;9(7):1193–1205.
- View Article
- Google Scholar
15. Naor D, Naor M, Lotspiech J. Revocation and tracing schemes for stateless receivers. In: Advances in Cryptology-CRYPTO 2001. Springer; 2001. p. 41–62.
16. Boldyreva A, Goyal V, Kumar V. Identity-based encryption with efficient revocation. In: Proceedings of the 15th ACM conference on Computer and communications security. ACM; 2008. p. 417–426.
17. Boldyreva A, Goyal V, Kumar V. Adaptive-ID Secure Revocable Identity-Based Encryption. In: Proceedings of the 15th ACM conference on Computer and communications security. ACM; 2008. p. 417–426.
18. Boldyreva A, Goyal V, Kumar V. Constructions o f CCA-Secure Revo cable Identity-Based Encryption. In: Proceedings of the 15th ACM conference on Computer and communications security. ACM; 2008. p. 417–426.
19. Boldyreva A, Goyal V, Kumar V. An Efficient and Provable Secure Revocable Identity-Based Encryption Scheme. In: Proceedings of the 15th ACM conference on Computer and communications security. ACM; 2008. p. 417–426.
20. Lee K, Lee DH, Park JH. Efficient revocable identity-based encryption via subset difference methods. Designs, Codes and Cryptography. 2017;85(1):39–76.
- View Article
- Google Scholar
21. Watanabe Y, Emura K, Seo JH. New revocable IBE in prime-order groups: Adaptively secure, decryption key exposure resistant, and with short public parameters. In: Cryptographers Track at the RSA Conference. Springer; 2017. p. 432–449.
22. Lee K, Choi SG, Lee DH, Park JH, Yung M. Self-updatable encryption: Time constrained access control with hidden attributes and better efficiency. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer; 2013. p. 235–254.

[ref1] 1. Seo JH, Emura K. Efficient Delegation of Key Generation and Revocation Functionalities in Identity-Based Encryption. In: CT-RSA. vol. 7779. Springer; 2013. p. 343–358.

[ref2] 2. Horwitz J, Lynn B. Toward hierarchical identity-based encryption. In: Advances in Cryptology-EUROCRYPT 2002. Springer; 2002. p. 466–481.

[ref3] 3. Seo JH, Emura K. Revocable hierarchical identity-based encryption: history-free update, security against insiders, and short ciphertexts. In: Cryptographers Track at the RSA Conference. Springer; 2015. p. 106–123.

[ref4] 4. Tsai TT, Tseng YM, Wu TY. RHIBE: constructing revocable hierarchical ID-based encryption from HIBE. Informatica. 2014;25(2):299–326.
View Article
Google Scholar

[5] View Article

[6] Google Scholar

[ref5] 5. Lee K. Revocable Hierarchical Identity-Based Encryption with Adaptive Security. IACR Cryptology ePrint Archive. 2016;2016:749.
View Article
Google Scholar

[8] View Article

[9] Google Scholar

[ref6] 6. Seo JH, Emura K. Adaptive-ID secure revocable hierarchical identity-based encryption. In: International Workshop on Security. Springer; 2015. p. 21–38.

[ref7] 7. Ryu G, Lee K, Park S, Lee DH. Unbounded hierarchical identity-based encryption with efficient revocation. In: International Workshop on Information Security Applications. Springer; 2015. p. 122–133.

[ref8] 8. Rouselakis Y, Waters B. Practical constructions and new proof methods for large universe attribute-based encryption. In: Proceedings of the 2013 ACM SIGSAC conference on Computer & communications security. ACM; 2013. p. 463–474.

[ref9] 9. Xing Q, Wang B, Wang X, Chen P, Yu B, Tang Y, et al. Unbounded Revocable Hierarchical Identity-Based Encryption with Adaptive-ID Security. In: High Performance Computing and Communications; IEEE 14th International Conference on Smart City; IEEE 2nd International Conference on Data Science and Systems (HPCC/SmartCity/DSS), 2016 IEEE 18th International Conference on. IEEE; 2016. p. 430–437.

[ref10] 10. Waters B, et al. Dual System Encryption: Realizing Fully Secure IBE and HIBE under Simple Assumptions. In: Crypto. vol. 5677. Springer; 2009. p. 619–636.

[ref11] 11. Lewko AB, Waters B. New Techniques for Dual System Encryption and Fully Secure HIBE with Short Ciphertexts. In: TCC. vol. 5978. Springer; 2010. p. 455–479.

[ref12] 12. Lewko AB, Waters B. Unbounded HIBE and Attribute-Based Encryption. In: Eurocrypt. vol. 6632. Springer; 2011. p. 547–567.

[ref13] 13. Lee K, Park S. Revocable Hierarchical Identity-Based Encryption with Shorter Private Keys and Update Keys. IACR Cryptology ePrint Archive. 2016;2016:460.
View Article
Google Scholar

[18] View Article

[19] Google Scholar

[ref14] 14. Seo JH, Emura K. Revocable identity-based cryptosystem revisited: Security models and constructions. IEEE Transactions on Information Forensics and Security. 2014;9(7):1193–1205.
View Article
Google Scholar

[21] View Article

[22] Google Scholar

[ref15] 15. Naor D, Naor M, Lotspiech J. Revocation and tracing schemes for stateless receivers. In: Advances in Cryptology-CRYPTO 2001. Springer; 2001. p. 41–62.

[ref16] 16. Boldyreva A, Goyal V, Kumar V. Identity-based encryption with efficient revocation. In: Proceedings of the 15th ACM conference on Computer and communications security. ACM; 2008. p. 417–426.

[ref17] 17. Boldyreva A, Goyal V, Kumar V. Adaptive-ID Secure Revocable Identity-Based Encryption. In: Proceedings of the 15th ACM conference on Computer and communications security. ACM; 2008. p. 417–426.

[ref18] 18. Boldyreva A, Goyal V, Kumar V. Constructions o f CCA-Secure Revo cable Identity-Based Encryption. In: Proceedings of the 15th ACM conference on Computer and communications security. ACM; 2008. p. 417–426.

[ref19] 19. Boldyreva A, Goyal V, Kumar V. An Efficient and Provable Secure Revocable Identity-Based Encryption Scheme. In: Proceedings of the 15th ACM conference on Computer and communications security. ACM; 2008. p. 417–426.

[ref20] 20. Lee K, Lee DH, Park JH. Efficient revocable identity-based encryption via subset difference methods. Designs, Codes and Cryptography. 2017;85(1):39–76.
View Article
Google Scholar

[29] View Article

[30] Google Scholar

[ref21] 21. Watanabe Y, Emura K, Seo JH. New revocable IBE in prime-order groups: Adaptively secure, decryption key exposure resistant, and with short public parameters. In: Cryptographers Track at the RSA Conference. Springer; 2017. p. 432–449.

[ref22] 22. Lee K, Choi SG, Lee DH, Park JH, Yung M. Self-updatable encryption: Time constrained access control with hidden attributes and better efficiency. In: International Conference on the Theory and Application of Cryptology and Information Security. Springer; 2013. p. 235–254.

Figures

Abstract

1 Introduction

1.1 Our techniques

1.2 Our result

1.3 Related works

Efficient user revocation in RHIBE.

Security model of R(H)IBE.

Adaptive security of R(H)IBE.

2 Preliminaries

2.1 Revocable HIBE

2.2 Complexity assumptions

3 Design of U-RHIBE system

3.1 HIBE scheme

3.2 IBE scheme

3.3 The CS method

3.4 Construction

3.5 Correctness

4 Security analysis

4.1 Definition of (ephemeral) semi-functional keys and ciphertexts

4.2 Sequence of games

4.3 Definition of oracles

4.4 Indistinguishability of GC′ and GSF″

4.4.1 Strategy for the indistinguishability of GC′ and GSF″.

4.4.2 Type-1 adversary.

4.4.3 Type-2 adversary.

4.5 Indistinguishability of GSF″ and GSF′

4.6 Indistinguishability of GC and GC′ and Indistinguishability of GSF′ and GSF

4.7 Indistinguishability of GReal and GC

4.8 Indistinguishability of GSF and GFinal

5 Conclusion

A Defination of the ephemeral semi-functional ciphertexts and keys

B Proof of lemmas

Acknowledgments

References

4.4 Indistinguishability of G_C′ and G_SF″

4.4.1 Strategy for the indistinguishability of G_C′ and G_SF″.

4.5 Indistinguishability of G_SF″ and G_SF′

4.6 Indistinguishability of G_C and G_C′ and Indistinguishability of G_SF′ and G_SF

4.7 Indistinguishability of G_Real and G_C

4.8 Indistinguishability of G_SF and G_Final