Almost-tight Identity Based Encryption against Selective Opening Attack

Almost-tight Identity Based Encryption against Selective Opening Attack Junqing Gong∗

Xiaolei Dong†

Zhenfu Cao‡

Jie Chen§

October 10, 2015

Abstract The paper presented an identity based encryption (IBE) under selective opening attack (SOA) whose security is almost-tightly related to a set of computational assumptions. Our result is a combination of Bellare, Waters, and Yilek’s method [TCC, 2011] for constructing (not tightly) SOA secure IBE and Hofheinz, Koch, and Striecks’ technique [PKC, 2015] on building almost-tightly secure IBE in the multi-ciphertext setting. In particular, we first tuned Bellare et al.’s generic construction for SOA secure IBE to show that a one-bit IBE achieving ciphertext indistinguishability under chosen plaintext attack in the multi-ciphertext setting (with one-sided publicly openability) tightly implies a multi-bit IBE secure under selective opening attack. Next, we almost-tightly reduced such a one-bit IBE to static assumptions in the composite-order bilinear groups employing the technique of Hofheinz et al. This yielded the first SOA secure IBE with almost-tight reduction.

Contents 1 Introduction 1.1 Background and Problem 1.2 Our Technique . . . . . . . 1.3 Related Work . . . . . . . . 1.4 Roadmap . . . . . . . . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

2 2 2 5 5

2 Preliminaries 2.1 Notations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2.2 Code-Based Games . . . . . . . . . . . . . . . . . . . . . . . 2.3 Identity Based Encryptions . . . . . . . . . . . . . . . . . . 2.4 Security against Selective Opening Attacks . . . . . . . . 2.5 Indistinguishability with One-sided Publicly Openability

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

. . . . .

5 5 6 6 7 7

3 Tightly Reducing SOA Security to IND-CPA with δ-1SPO 3.1 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3.2 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

8 8 9

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

. . . .

4 Tightly Reducing IND-CPA IBE with δ-1SPO to Static Assumptions 11 4.1 Composite-order Bilinear Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 4.2 Construction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 4.3 Security Analysis . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 5 Conclusion

22

∗

Department of Computer Science and Engineering, Shanghai Jiao Tong University. Email: [email protected] Shanghai Key Lab for Trustworthy Computing, East China Normal University. Email: [email protected] ‡ Shanghai Key Lab for Trustworthy Computing, East China Normal University. Email: [email protected] § Shanghai Key Laboratory of Multidimensional Information Processing and Shanghai Key Lab of Trustworthy Computing, East China Normal University. Email: [email protected] †

1

1 1.1

Introduction Background and Problem

Boneh and Franklin [BF01] formalized the notion of ciphertext indistinguishability under chosen ciphertext attack (IND-CCA) for identity based encryptions (IBE) and proposed the first practical solution in the random oracle model. Since then IND-CCA security and its weakened version, ciphertext indistinguishability under chosen plaintext attack (IND-CPA), have been accepted as standard security definitions for IBE. However stronger security guarantee is required in some application scenarios. In 2011, Bellare, Waters, and Yilek proposed the selective opening security (SOA) for IBE, which may act as the basis for discussing adaptively secure multi-party computation protocol [BWY11]. Different from IND-CPA, the SOA security formalized in [BWY11] considers a communication system with multiple senders and multiple receivers. Besides eavesdropping all ciphertexts from communication channel, the adversary can also corrupt a subset of senders, extracting their plaintexts as well as random coins they used when generating corresponding ciphertexts. The SOA security ensures that ciphertexts sent by uncorrupted senders should not reveal any useful information on their corresponding plaintexts. To construct an IBE achieving SOA security described above, Bellare et al. [BWY11] introduced a new primitive, IND-CPA one-bit IBE with one-sided publicly openability (1SPO), which is analogous to a weaker form of deniable public key encryption (PKE) [CDNO97]. Informally, the 1SPO property here requires that one can publicly recover the random coins used to encrypt message 1. They showed that a one-bit IBE with such a security guarantee can be generically transformed to a multi-bit IBE with SOA security in a quite straight way and provided two concrete constructions for such type of IBE based on Boyen and Waters’s anonymous IBE [BW06] and De Caro, Iovino and Persiano’s anonymous IBE [DCIP10], which is further based on Lewko and Waters’ IBE [LW10] employing the recently developed dual system technique [Wat09]. This results in two SOA secure IBE schemes based on decisional linear assumption and general subgroup decision assumption, respectively. However both resulting constructions are not tight, the security loss is O (k`) where k is the number of senders and ` is the length of each message in binary form. Namely the advantage of breaking the SOA security of these scheme is bounded by the advantage of solving some computational assumption times a factor O (k`). This means that, in order to reach certain bit security, we have to use larger security parameters to compensate the security loss, which often leads to large group size and inefficient group operation. Therefore a tightly secure construction is desirable from both theoretical and practical points of view. Our paper is devoted to develop an IBE scheme reaching SOA security in a tighter fashion. In particular, we give a SOA secure IBE almost-tightly reduced to several static assumptions using composite order bilinear groups. The “almost-tight” means the security loss is proportional to the security parameter λ and independent of k and `. In general, we consider λ as a number far smaller than k`.

1.2

Our Technique

Our work is motivated by the work of Hofheinz, Koch, and Striecks on almost-tight IBE in the multiinstance, multi-ciphertext setting [HKS15]. Roughly speaking, the so-called “ciphertext indistinguishability in the multi-instance, multi-ciphertext setting” ensures the confidentiality of multiple ciphertexts simultaneously. In the paper, we only consider a special case, i.e., the “single-instance, multi-ciphertext” setting (IND-mCPA). On the other hand, in the terms of Hofheinz et al., the one-bit IBE used in Bellare et al.’s generic construction of SOA secure IBE is IND-CPA in the single instance, single ciphertext setting. Therefore a straight observation shows that, if we replace the one-bit IBE here with an IND-mCPA one-bit IBE also with 1SPO, this generic construction would become constantly tight. This result is quite obvious and is easy to demonstrate, we briefly present it in Section 3 to make the paper self-contained. Having a tight generic transformation from IND-mCPA one-bit IBE to SOA secure multi-bit IBE, the remaining work is to build such a one-bit IBE whose security is almost-tightly related to some computational assumptions. Our solution is a combination of Bellare, Waters, and Yilek’s second construction [BWY11] and Hofheinz, Koch, and Striecks’ technique [HKS15]. Before explaining our solution, we first review these two basic work. Dual System Technique. Both work follows the dual system technique invented by Waters [Wat09]. For an IBE scheme employing dual system technique, we define two forms for secret keys and ciphertexts, normal and semi-functional, which should be indistinguishable from each other. The normal keys and ciphertexts are

2

used in the real system. We will say they are in the normal space. The semi-functional keys and ciphertexts will only be used in security proof and are always defined as normal keys and ciphertexts mixed with some additional components. We will call these components semi-functional components and say they are in the semi-functional space. Relying on certain algebraic feature, we can ensure the independence of normal space and semi-functional space in some sense, which allows us to make some changes (say, increasing entropy and breaking some algebraic structure) in the semi-functional space but avoid negative impact on the normal space, i.e., the real system. Bellare, Waters, and Yilek’s Method. Bellare et al.’s idea [BWY11] is originated from the work on deniable encryption [CDNO97]. From a high level, they built a one-bit IBE with both IND-CPA and one-sided invertible sampleability (1SIS). An encryption of message 0 has some specific algebraic structure which is detectable for secret keys (of course, related to the same identity) but is pseudo-random from view of outsiders (adversaries); an encryption of message 1 is truly random and invertible samplable using just master public key. Assume a composite order bilinear groups (G, G T , e, N = p1 p2 p3 p4 ), we let GN 0 be the subgroup of order N 0 |N . We note that one can decompose G as G p1 × G p2 × G p3 × G p4 and pairing operation on two elements from two subgroups of co-prime orders equals 1GT . Their second construction works as follows. An encryption of 0 for identity ID ∈ ZN is in the form of €

ID U14 X 14

Šs

t0

t

s W14 g44

g44 ,

where U14 , X 14 , W14 ∈ G p1 p4 , g4 ∈ G p4 are parts of the master public key and s, t 4 , t 40 ∈ ZN are random coins for encryption. Since both encryption and master public key are independent in subgroup G p4 , the algebraic structure is hidden for the outsider, which can be proved following [DCIP10, LW10]. However the structure can be detected using the secret key in the form of r

€

g1r g33 ,

U1ID X 1

Šr

r0

g33

because they let U1 , X 1 , g1 ∈ G p1 share the same G p1 -component with U14 , X 14 , W14 , respectively, and subgroup G p1 , G p3 and G p4 are pairwise orthogonal under pairing operations. Here the subgroup G p1 acts as the normal space while the subgroup G p2 is the semi-functional space. The remaining two subgroups G p3 and G p4 are used to additionally randomize keys and ciphertexts, respectively. Hofheinz, Koch, and Striecks’s Construction and Proof Technique. Their construction inherited the main algebraic structure of Chen and Wee’s almost-tightly secure IBE in the single-ciphertext setting [CW13] which employed a variant form of Waters Hash [Wat05]. It also works on a bilinear group of composite order N = p1 p2 p3 p4 as above but supports the identity space defined as the set of all n-bit binary string. An encryption of message M for identity ID ∈ {0, 1}n is in the form of g1s ,

P

g1

w[2i−ID[i]]·s

e(g1 , h)αs · M

,

α where g1 ∈ G p1 , g1w ∈ G2n p1 and e(g 1 , h) ∈ G T are parts of the master public key, and s is the random coin for encryption, while secret keys are in the form of P

w[2i−ID[i]]·r

hα · h123

· R4 ,

r h123 · R04

0 where α ∈ ZN , h ∈ G, h123 ∈ G p1 p2 p3 , hw 123 ∈ G p1 p2 p3 are given in the master secret keys, and r ∈ ZN , R 4 , R 4 ∈ G p4 are random coins. Here subgroup G p1 again acts as the normal space, the semi-functional space consists of subgroup G p2 and G p3 . The last subgroup G p4 is now used to randomize keys. We now briefly review the proof procedure. The proof begins with introducing G p2 -component into ciphertexts and conceptually inserting an random function R0 mapping identity space to subgroup G p2 p3 whose output is truly random but independent of the input as follows.

CT

:

(g1 g2 )s , SK

:

P

(g1 g2 )

w[2i−ID[i]]·s

P

,

w[2i−ID[i]]·r

hα · R0 (ID) · h123

e((g1 g2 )s , hα · R0 (ID) ) · M · R4 ,

r h123 · R04

The next step is to gradually increase the dependence of R0 ’s output on its input, from 0 bit to n bits. Here we need n computationally arguments and arise O (n) security loss but unrelated to the number of secret keys or 3

ciphertexts. Technically, each step relies on the orthogonality of subgroup G p2 and G p3 to independently adopt the proof technique introduced by Chen and Wee [CW13] in each of the two subgroups. Finally, we will reach the scenario with CT

P

(g1 g2 )s ,

:

SK

(g1 g2 )

w[2i−ID[i]]·s

P

e((g1 g2 )s , hα · Rn (ID) ) · M

,

w[2i−ID[i]]·r

hα · Rn (ID) · h123

:

r h123 · R04

· R4 ,

where now Rn ’s output depends on all bits of identity ID. Combining the feature of random function and the entropy of s, the random coin for encryption, we can readily show the pseudo-randomness of term e((g1 g2 )s , hα · Rn (ID)) in all ciphertexts simultaneously in a tight fashion. Our Attempts and Solution. At first glance, we can apply Bellare et al.’s idea directly to Hofheinz, Koch, and Striecks’ construction. We may remove the master secret key hα and drop payload mask e(g1 , h)α , put the structure into a bilinear group of order N = p1 p2 p3 p4 p5 and use the extra subgroup G p5 to hide the structure of ciphertexts as [DCIP10, BWY11]. The result is as follows. An encryption of message 0 for identity ID ∈ {0, 1}n looks like P w[2i−ID[i]]·s t 50 t g5 g1 g1s g55 , t

t0

t0

t

where g55 , g55 ∈ G p5 function as g44 and g44 , while g1 ∈ G p1 and g1w ∈ G2n p1 should be multiplied by a random element of G p5 before they are published with g5 as the master public key. On the other hand, secret keys for ID should look like P w[2i−ID[i]]·r r h123 · R4 , h123 · R04 It is easy to verify the correctness of this construction. However the proof technique for proving IND-mCPA is not applicable now. We remark that it is the master secret α that allows us to introduce the random function into the system after introducing G p2 -components into all ciphertexts. A natural idea to overcome this problem may be to take hα back in secret keys and put an additional term e(g1 , h)αs in ciphertexts. However we still don’t know how to prove the resulting scheme to be IND-mCPA yet even though Hofheinz et al.’s proof technique now works. To see that we remind the reader of the fact that our technical goal is to show all components in ciphertexts of message 0 are pseudo-random. The proof technique P w[2i−ID[i]]·s

t0

here finally allows us to argue the pseudo-randomness of e(g1 , h)αs , but not g1 g55 , since no additional entropy has been introduced in it during the proof. It is worth noting that Attrapadung et al. [AHY15] showed how to tightly obtain anonymity from a similar structure (using prime-order bilinear groups), i.e., the IND-mCPA in our setting. However they required the key generation procedure to be somewhat deterministic. Namely they use the same random coins for generating secret keys for the same identity. In our paper, we continue to work with the classical definition where each secret key is created from fresh random coins. Our solution is to turn to the original version of Waters Hash [Wat05] where the encoding of identity ID is not linear but affine. In particular, we define an encryption for message 0 as (u+

t g1s g55 ,

P

g1

w[2i−ID[i]])·s

t0

g55

where the newly introduced g1u ∈ G p1 is also published as a part of master public key after hidden by a random element of G p5 ; secret keys are defined as (u+ h123

P

w[2i−ID[i]])·r

r h123 · R04

· R4 ,

where u is also introduced to maintain correctness. At this time, we can insert a random function relying on the entropy of u ∈ ZN and continue the proof procedure, which circumvents the issues in our first attempt. In particular, the first step of the proof now results in the following ciphertexts and secret keys CT

:

t

(g1 g2 )s g55 , SK

:

R (ID)·r

h230

(g1 g2 )(u+ (u+ · h123

P

P

w[2i−ID[i]])·s

w[2i−ID[i]])·r

· R4 ,

t0

R (ID)·s

g55 · g2 0 r h123 · R04

where we define the random function mapping from identity space to ZN instead of G p2 p3 . We note that, different from Hofheinz et al.’s proof, the random function in our proof is associated with random coin r in secret keys instead of standing alone, and is associated with random coin s directly in ciphertexts instead of 4

connected through bilinear map e. Finally, we will reach the following configuration using Hofheinz et al.’s technique with tiny technical tuning due to our different definition of random function R0 and Rn . CT

:

SK

t

(g1 g2 )s g55 , :

R (ID)·r

h23n

(g1 g2 )(u+ (u+ · h123

P

P

w[2i−ID[i]])·s

w[2i−ID[i]])·r

· R4 ,

t0

R (ID)·s

g55 · g2 n

r h123 · R04

(u+ w[2i−ID[i]])·s R (ID)·s R (ID)·r At this moment, we see that the pseudo-random terms g2 n and h23n are bound with g1 P (u+ w[2i−ID[i]])·r and h123 respectively, which facilitates the proof of pseudo-randomness of the entire ciphertexts and circumvents the problem in our second attempt. We show the formal description of this construction and its security analysis in Section 4. P

1.3

Related Work

Identity Based Encryption. The notion of identity based encryption was introduced by Shamir [Sha85] to alleviate the cost of key management in traditional PKI framework. The first practical solution with formal security analysis for this promising primitive was found by Boneh and Franklin [BF01] in 2001 using bilinear groups. A bunch of constructions are proposed in the next several years, including classical BonehBoyen [BB04b, BB04a], Waters [Wat05], and Gentry [Gen06] construction. A recent breakthrough in this field is the introduction of dual system technique by Waters [Wat09], which is now widely used for building various types of adaptively secure functional encryptions [LW10, LOS+ 10, OT10, LW11, CLL+ 13, Lew12, LW12, OT12b, OT12a, RCS12, JR13]. There also appears general frameworks investigating the dual system technique, especially its application in functional encryption [Att14, BKP14, Wee14, CGW15]. In 2013, Chen and Wee [CW13] eastablished the first IBE scheme with almost-tight reduction to static assumptions in the standard model, combining the dual system technique with Naor-Reingold technique for pseudo-random functions [NR04]. The method was extended to the “multi-instance, multi-ciphertext” setting by Hofheinz, Koch, and Striecks [HKS15]. Two very recent work [AHY15, GCD+ 15] gave the prime-order realization of Hofheinz et al.’s composite-order construction. Besides that the work by Attrapadung et al. [AHY15] also proposed a framework for building almost-tight IBE from broadcast encodings [Att14], which leads to a lot of new constructions with diverse features. Selective Opening Security. The study of selective opening security started from the field of public key encryption. Since the work of Bellare, Hofheinz, and Yilek [BHY09], the community obtained several solutions [FHKW10, HLOV11, Hof12, HLQ13, HJKS15, LP15] covering various settings such as chosen plaintext attack (SO-CPA) and chosen ciphertext attack (SO-CCA). In 2011, Bellare, Hofheinz, and Yilek brought SOA security into the field of IBE [BWY11] by considering SO-CPA security. The blank of SO-CCA security was recently filled by Lai et al. [LDL+ 14] relying on several newly introduced primitives. Our paper only considers SO-CPA following [BWY11]. Very recently, He et al. [HLL+ 15] gave an IBE scheme achieving indistinguishability-based SOA security under chosen-plaintext attack in the selective identity model, which is weaker than the security model used in [BWY11, LDL+ 14] and ours as well.

1.4

Roadmap

The remainder of our paper is organized in three parts. We first define some notations and review several concepts and security models in Section 2. Section 3 shows a generic construction from IND-mCPA one-bit IBE to SOA-secure multi-bit IBE with tight reduction. Such a one-bit IBE is presented in Section 4 followed by a series of static assumptions in composite-order bilinear groups. Finally, we conclude the paper in Section 5.

2 2.1

Preliminaries Notations

We employ x := f ( y) to denote the process of assigning to x the result of f ( y) for some formula f (·) and some value y. For any positive number n, we define [n] := {1, . . . , n}. For any list or vector w, we

5

let w[i] denote the ith entry of w. Similarly, for any binary string ID ∈ {0, 1}∗ , we use ID[i] to indicate the ith bit of ID. The notation y ← Alg(x 1 , . . . , x n ; r1 , . . . , rm ) or Alg(x 1 , . . . , x n ; r1 , . . . , rm ) → y refer to the process of running algorithm Alg with inputs x 1 , . . . , x n and random coins r1 , . . . , rm , then assigning the result to variable y. The random coins may be omitted for brevity. We may also use a more compact form y ←

Alg (x; r) where x := x 1 , . . . , x n and r := r1 , . . . , rm . For any fixed input x, the set [Alg(x)] is defined as  y : ∃r s.t. Alg(x; r) = y . Given a finite cyclic group G, we use X ← G to denote the process of sampling a random element in G. In particular, the notation is for the so-called “lazy sampling”. Assuming g ∈ G is a generator of group G of order N , we sample X from G by randomly sampling x from ZN and set X := g x . As [BWY11], we consider sampling random element from ZN (for any N ∈ Z>0 ) as the unique random source in our system, and denote this atomic process by x ← ZN . For any element g ∈ G and list or vector w = (w1 , . . . , w n ) ∈ ZnN , we define g w := (g w1 , . . . , g w n ) ∈ Gn . Given g = (g1 , . . . , g n ) and h = (h1 , . . . , hn ), two vectors over G, we define g · h := (g1 · h1 , . . . , g n · hn ) ∈ Gn .

2.2

Code-Based Games

As [BWY11], we employ code based games [BR06] for our security definitions and proofs. A code based game is defined by an Initialize procedure and a Finalize procedure plus a series of procedures, which will be used to answer adversary A ’s queries and depends on the security notion we concern. The game begins with running Initialize procedure and transmitting the result to adversary A . During the game, A is allowed to make various types of queries in any order. In general, A is capable of making polynomial-many queries. Finally, A is expected to return an output before it halts. The output of the game is then obtained by invoking Finalize procedure on A ’s output. As usual, we let GameA (λ) = y denote the event that the output of executing Game with adversary A on security parameter 1λ is y.

2.3

Identity Based Encryptions

Algorithms. An identity-based encryption scheme with identity space IdSp and message space MsgSp consists of four (probabilistic) polynomial time algorithms defined as follows: – Setup(1λ ) → (MPK, MSK). The setup algorithm takes as input a security parameter 1λ , and outputs a master public key MPK and the corresponding master secret key MSK. – KeyGen(MPK, MSK, ID) → SK. The key generation algorithm takes as input a master public key master secret key MSK and an identity ID ∈ IdSp, and outputs a secret key SK. – Enc(MPK, ID, M) → CT. The encryption algorithm takes as input a master public key ID ∈ IdSp and a message M ∈ MsgSp, outputs a ciphertext CT . – Dec(MPK, SK, CT) → M. The decryption algorithm takes as input a master public key and a ciphertext CT, outputs a message M or a failure symbol ⊥.

MPK ,

MPK ,

MPK ,

a

an identity

a secret key

SK

Correctness. The correctness (with negligible failure probability) requires that, for all security parameter λ, for all (MPK, MSK) ∈ [Setup(1λ )], all ID ∈ IdSp, and all M ∈ MsgSp, it holds that Pr [Dec(MPK, KeyGen(MPK, MSK, ID), Enc(MPK, ID, M)) = M] ¾ 1 − ε, where ε is negligible in λ and the probability space is defined by random coins consumed by algorithm KeyGen and Enc. More Notations. We now define two sets for an IBE scheme. We let Coins(MPK, M) be the set of random coins used to encrypt message M for all (MPK, MSK) ∈ [Setup(1λ )]. We also use Coins(MPK, ID, CT, M) to denote {r : CT = Enc(MPK, ID, M; r)}, the set of all random coins which makes algorithm Enc to produce CT as the ciphertext for message M under MPK and ID.

6

2.4

Security against Selective Opening Attacks

Bellare et al. [BWY11] formally defined selective opening security in the setting of IBE based on the work of [BHY09]. This subsection review their definition through two games: SOAREAL and SOASIM, defined in Figure 1 and Figure 2, respectively. In the figures, M is called (k, `)-message sampler which takes α ∈ {0, 1}∗ as input and returns m such that |m| = k and m[i] ∈ {0, 1}` for all i ∈ [k], and R is any randomized algorithm with binary output. In both games, an adversary must make one NewMesg query before one Corrupt query. Besides, game SOAREAL additionally allows the adversary to adaptively make polynomially-many Extract queries. Initialize (MPK, MSK) ← Setup(1λ ) return MPK NewMesg(id, α) if id ∩ ExID 6= ; then return ⊥ ChID := ChID ∪ id m ← M (α) for i ∈ [k] do r[i] ← Coins(MPK, m[i]) ct[i] ← Enc(MPK, id[i], m[i]; r[i]) return ct

Extract(ID) if ID ∈ ChID then return ⊥ ExID := ExID ∪ {ID} return KeyGen(MPK, MSK, ID) Corrupt(I) return r[I], m[I] Finalize(OUT) return R(m, ChID, I, OUT)

Figure 1: SOAREAL Game

Initialize return ⊥

Corrupt(I) return m[I]

NewMesg(id, α) ChID := ChID ∪ id m ← M (α) return ⊥

Finalize(OUT) return R(m, ChID, I, OUT)

Figure 2: SOASIM Game The SOA-advantage function of SOA-adversary A against an SOA-simulator S with respect to M and R is defined as follows. ” — ” — AdvSOA (λ) := SOAREAL (λ) = 1 − Pr SOASIM (λ) = 1 Pr . A ,M ,R S ,M ,R A ,S ,M ,R An IBE scheme is SOA secure if and only if, for any message sampler M , any binary relation R, any probabilistic polynomial time SOA-adversary A , there exists an SOA-simulator S such that the advantage function AdvSOA A ,S ,M ,R (λ) is negligible in λ.

2.5

Indistinguishability with One-sided Publicly Openability

The ciphertext indistinguishability under chosen plaintext attack [BF01] (IND-CPA) is one of well-known security definitions for IBE. In the model, given master public key, an adversary is able to obtain polynomiallymany secret keys adaptively and a single challenge ciphertext for one of challenge messages, and is asked to guess a secret bit (which indicates which challenge message is used to generate challenge ciphertext). We consider IND-CPA in the multi-ciphertext setting (IND-mCPA) where the adversary now has access to polynomially-many challenge ciphertexts, which is recently proposed and investigated in more general multiinstance, multi-ciphertext setting [HKS15]. More formally, we review the notion of IND-mCPA [HKS15] through game INDmCPA shown in Figure 3. The advantage function of adversary A in game INDmCPA is defined as   AdvINDmCPA (λ) := Pr INDmCPAA (λ) = 1 − 1/2 . A

7

Initialize (MPK, MSK) ← Setup(1λ ) β ← {0, 1} return MPK

Challenge(ID∗ , M∗0 , M∗1 ) ∗

∈ ExID then return ⊥ ChID := ChID ∪ {ID∗ } return Enc(MPK, ID∗ , M∗β )

if

Extract(ID) if ID ∈ ChID then return ⊥ ExID := ExID ∪ {ID} return KeyGen(MPK, MSK, ID)

ID

Finalize(β 0 ) return (β = β 0 )

Figure 3: INDmCPA Game An IBE scheme is said to be IND-mCPA if and only if the advantage function AdvINDmCPA (λ) is negligible in λ A for any probabilistic polynomial time adversary A . However the IND-mCPA alone is not sufficient for realizing SOA security. We require an additional property, called One-Sided Publicly Openability (1SPO), proposed by Bellare et al. [BWY11] based on the concept of deniable PKE [CDNO97]. Roughly speaking, 1SPO for an IBE with MsgSp = {0, 1} means that one can publicly open a ciphertext for message 1 by presenting its random coins. More formally, we review the following algorithm. – OpenToOne(MPK, ID, CT) → r. The setup algorithm takes as input a master public key MPK, an identity ID ∈ IdSp and a ciphertext CT of 1, outputs a random coin r such that CT = Enc( MPK , ID , 1; r). We allow algorithm OpenToOne to output failure symbol ⊥ with probability δ and require that, for all [Setup(1λ )], all ID ∈ IdSp, all CT ∈ [Enc(MPK, ID, 1)], and all br ∈ Coins(MPK, ID, CT, 1), Pr [r ← OpenToOne(MPK, ID, CT) : r = br |r 6= ⊥] =

MPK

∈

1 |Coins(MPK, ID, CT, 1)|

The algorithm is called δ-1SP opener and an IBE with a δ-1SP opener is called δ-one-sided publicly openable (δ-1SPO).

3

Tightly Reducing SOA Security to IND-CPA with δ-1SPO

Bellare et al. [BWY11] presented a trivial construction for `-bit IBE IBE` from one-bit IBE IBE, and proved that IBE` achieves SOA security if the underlying IBE is IND-CPA with δ-1SPO. Their reduction has polynomial security loss. We review this trivial construction (with different identity space) and prove that IBE` achieves SOA security if the underlying IBE is IND-mCPA with δ-1SPO. We emphasize that our reduction only has constant security loss.

3.1

Construction

n Assume an one-bit IBE IBE = (Setup, KeyGen € Š , Enc, Dec) with IdSp = {0, 1} and MsgSp = {0, 1}. The ` ` ` ` ` n `-bit IBE IBE = Setup , KeyGen , Enc , Dec with IdSp = {0, 1} (identical to IBE) and MsgSp = {0, 1}` is defined as in Figure 4.

Setup` (1λ , n) return Setup(1λ , n)

KeyGen` (MPK, MSK, ID) return KeyGen(MPK, MSK, ID)

Dec` (MPK, SK, ct)

Enc` (MPK, ID, M)

for i ∈ [`] do M [i] ← Dec( MPK , SK , ct[i]) return M

for i ∈ [`] do ct[i] ← Enc(MPK, ID, M[i]) return ct

Figure 4: From IBE to IBE` . It is quite clear that the correctness of the resulting IBE follows from the underlying one. More concretely, if IBE is correct with failure probability ε, IBE` is correct with failure probability ` · ε. 8

3.2

Security Analysis

We want to prove the following theorem. Theorem 1 For any message sampler M , any binary relation R, any probabilistic polynomial time SOA-adversary A making at most Q K Extract queries, there exists a probabilistic polynomial time SOA-simulator S and adversary B such that INDmCPA AdvSOA (λ) + k` · δ. A ,S ,M ,R (λ) ≤ 2 · AdvB The proof begins with constructing a SOA-simulator S in SOASIM game, which takes any probabilistic polynomial time SOA-adversary A as oracle. Our proof continues employing Bellare et al.’s construction and we recall it in Figure 5. The SOA-simulator S prepares a fresh master public/secret key pair (MPK, MSK) and initializes a SOA-adversary A using MPK. To obtain A ’s output, S answers all queries made by it, i.e., simulating SOAREAL game for A . The Extract queries are directly answered using MSK. For the NewMesg query, SOA-simulator S returns k encryptions of message 0` . In the figure, we use NewMesgS to denote the NewMesg oracle for S in SOASIM game, which returns nothing to S . For the Corrupt query, S opens corrupted messages correctly relying on the power of OpenToOne algorithm. In particular, if the corrupted message bit is 0, the random coin used when answering NewMesg query could be returned directly; if the bit is 1 instead, the random coin must be resampled so as to explain the corresponding ciphertext S has given to A , which is originally an encryption of 0, to be an encryption of 1.

main() (MPK, MSK) ← Setup` (1λ ) return A (MPK) NewMesg(id, α) NewMesgS (id, α) for i ∈ [k] do r[i] ← Coins(MPK, 0` ) ct[i] ← Enc` (MPK, ID[i], 0` ; r[i]) return ct

Corrupt(I) m[I] ← CorruptS (I) for i ∈ I and j ∈ [`] do if m[i][ j] = 1 then r[i][ j] ← OpenToOne(MPK, id[i], ct[i][ j]) return r[I], m[I] Extract(ID) return KeyGen` (MPK, MSK, ID)

Figure 5: SOA-simulator S . One may see that the simulation of S is different from the specification of SOAREAL. Therefore the next step of the proof is to show that the simulation described in Figure 5 and the real SOAREAL are computationally indistinguishable from the viewpoint of A . In detail, we employ hybrid argument using the game sequence shown in Figure 6. We have the following lemmas immediately. Lemma 1 For any message sampler M , any binary relation R, any adversary A , Pr[Game 0,A ,M ,R (λ) = 1] − Pr[Game1,A ,M ,R (λ) = 1] ≤ k` · δ. Lemma 2 For any message sampler M , any binary relation R, any adversary A , Pr[Game2,A ,M ,R (λ) = 1] = Pr[Game3,A ,M ,R (λ) = 1]. Lemma 3 For any message sampler M , any binary relation R, any adversary A , Pr[Game3,A (λ) = 1] = Pr[SOASIMS ,M ,R (λ) = 1]. The first lemma follows from the fact that the algorithm OpenToOne is not perfect, its failure probability is δ, and there are at most k` applications of OpenToOne. For the second lemma, since we can answer NewMesg queries without knowing anything about m, it is safe to defer the sampling of m. The last lemma follows the observation that the SOA-simulator described in Figure 5 is able to simulate Game3 and S ’s output always equals A ’s. To finish the proof of the theorem, we must fill the gap between Game1 and Game2 . Especially, we prove the following lemma.

9

NewMesg(id, α) if id ∩ ExID 6= ; then return ⊥ ChID := ChID ∪ id m ← M (α)

Game0 , Game1 , Game2

m←⊥ for i ∈ [k] and j ∈ [`] do r[i][ j] ← Coins(MPK, m[i][ j])

Game3 Initialize (MPK, MSK) ← Setup(1λ ) return MPK

r[i][ j] ← Coins(MPK, 0) ct[i][ j] ← Enc(MPK, id[i], m[i][ j]; r[i][ j])

Extract(ID) if ID ∈ ChID then return ⊥ ExID := ExID ∪ {ID} return KeyGen(MPK, MSK, ID) Finalize(OUT) return R(m, ChID, I, OUT)

ct[i][ j] ← Enc(MPK, id[i], 0; r[i][ j]) return ct Corrupt(I) m ← M (α) for i ∈ I and j ∈ [`] do if m[i][ j] = 1then r[i][ j] ← OpenToOne(MPK, id[i], CT[i][ j]) return r[I], m[I]

Figure 6: Game Sequence for SOA security Lemma 4 (Game1 ≈ Game2 ) For any message sampler M , any binary relation R, any probabilistic polynomial time adversary A making at most Q K key extraction queries, there exists an adversary B such that ” — ” — (λ). Pr Game1,A ,M ,R (λ) = 1 − Pr Game2,A ,M ,R (λ) = 1 ≤ 2 · AdvINDmCPA B and Time(B) ≈ Time(A ) + (k` + Q K ) · poly(λ) where poly is independent of A . Proof. Given

MPK

Initialize Return

and oracle access to ExtractB and Challenge, algorithm B proceeds as follows: MPK .

Extract(ID) Return ExtractB (ID). NewMesg(id, α) Return ⊥ when id ∩ ExID 6= ;. Update ChID := ChID ∪ id. Sample m ← M (α). For i ∈ [k] and j ∈ [`], if m[i][ j] = 1, set ct[i][ j] ← Challenge(id[i], 0, 1), otherwise, sample r[i][ j] ← Coins(MPK, 0) and ct[i][ j] ← Enc(MPK, id[i], 0; r[i][ j]). Return ct. Corrupt(I) For i ∈ I and j ∈ [`], if m[i][ j] = 1, set r[i][ j] ← OpenToOne(MPK, id[i], ct[i][ j]). Return (r[I], m[I]). When A halts with output OUT, algorithm B outputs R(m, ChID, I, OUT). Observe that if β = 0, the outputs of Challenge are encryptions of 0 and the simulation is identical to Game2 . On the other hand, if β = 1, the outputs of Challenge are encryptions of 1 and the simulation is iden— ” — ” tical to Game1 . Therefore we can conclude that Pr Game1,A ,M ,R (λ) = 1 − Pr Game2,A ,M ,R (λ) = 1 ≤ 2 · AdvINDmCPA (λ). B

ƒ

10

4

Tightly Reducing IND-CPA IBE with δ-1SPO to Static Assumptions

4.1

Composite-order Bilinear Groups

We assume a group generator GrpGen for composite-order bilinear groups, which takes as input a security
parameter 1λ , outputs N , G, G T , e, p1 , . . . , p5 where N = p1 · · · p5 and all pi are prime numbers in [2λ−1 , 2λ − 1], both G and G T are cyclic groups of order N , and e : G × G → G T is an admissible bilinear map. We let G and G T also contain their generators, denoted by g ∈ G and g T ∈ G T , respectively. We define public group
description G = N , G, G T , e and take factoring of N , i.e., p1 , . . . , p5 , as secret information. It is the secret information that allow us to derive the generator of each subgroup from the generator of the entire group, i.e., g ∈ G, and sample random element from it. For positive integer N 0 with N 0 |N , we use GN 0 to indicate the unique subgroup of order N 0 . Given g ∈ Gn and h ∈ Gm such that gcd(n, m) = 1, we have e(g, h) = 1GT . In fact, we can decompose G as G p1 × · · · × G p5 Q5 x and write g x for x ∈ ZN as i=1Q g i i where G pi is generated by g i ∈ G pi and x i ∈ ZN is unique modulo pi . Q x Under the representation, we call i∈I g i i for some I ⊆ [5] the GN 0 -part of g x where N 0 = i∈I pi . We need the following six computational assumptions to reach IND-mCPA security. Assumption 1, 2, 5, 6 are concrete instantiations of General Subgroup Decision Assumption formalized by Bellare et al. [BWY11] which is inspired by several concrete assumptions used in [BGN05, DCIP10, LW10]. Assumption 3 and 4 are modified from Hofheinz et al.’s Dual System Assumption 3 [HKS15] and Chen and Wee’s second assumption in [CW13], respectively. In fact the Dual System Assumption 3 [HKS15] was also derived from Chen and Wee’s second assumption. All of them could be viewed as Diffie-Hellman Assumption on subgroups of compositeorder G. Assumption 1 For any probabilistic polynomial time adversary A , the advantage function defined as follows are negligible in λ.     AdvSD1 A (λ) := Pr A (D, T0 ) = 1 − Pr A (D, T1 ) = 1 where

N , G, G T , e, p1 , . . . , p5 ← GrpGen(1λ ); G = N , G, G T , e ; g1 ← G p1 ; g4 ← G p4 ; g5 ← G p5 ; X 1 X 2 X 3 ← G p1 p2 p3 ;
D ← G , g1 , g4 , g5 , X 1 X 2 X 3 ; T0 ← G p1 ; T1 ← G p1 p2 . Assumption 2 For any probabilistic polynomial time adversary A , the advantage function defined as follows are negligible in λ.     AdvSD2 A (λ) := Pr A (D, T0 ) = 1 − Pr A (D, T1 ) = 1 where

N , G, G T , e, p1 , . . . , p5 ← GrpGen(1λ ); G = N , G, G T , e ; g1 ← G p1 ; g4 ← G p4 ; g5 ← G p5 ; X 2 X 5 ← G p2 p5 ; Y2 Y3 ← G p2 p3 ;
D ← G , g1 , g4 , g5 , X 2 X 5 , Y2 Y3 ; T0 ← G p2 p5 ; T1 ← G p3 p5 . Assumption 3 For any probabilistic polynomial time adversary A , the advantage function defined as follows are negligible in λ.     AdvDDH1 (λ) := Pr A (D, T ) = 1 − Pr A (D, T ) = 1 A

0

1

where

N , G, G T , e, p1 , . . . , p5 ← GrpGen(1λ ); G = N , G, G T , e ; g 1 ← G p1 ; g 2 ← G p2 ; g 3 ← G p3 ; g 4 ← G p4 ; g 5 ← G p5 ; Xe4 , Ye4 , X 4 , Y 4 ← G p4 ; x, y, z ← Z∗N ; € Š y y D = G , g1 , g2 , g3 , g4 , g5 , g2x Xe4 , g2 Ye4 , g3x X 4 , g3 Y 4 ; € x y x yŠ € x y+z x y+z Š T0 ← g2 , g3 ; T1 ← g2 , g3 .

11

Assumption 4 For any probabilistic polynomial time adversary A , the advantage function defined as follows are negligible in λ.     AdvDDH2 (λ) := Pr A (D, T0 ) = 1 − Pr A (D, T1 ) = 1 A where

N , G, G T , e, p1 , . . . , p5 ← GrpGen(1λ ); G = N , G, G T , e ; g1 ← G p1 ; g2 ← G p2 ; g3 ← G p3 ; g4 ← G p4 ; g5 ← G p5 ; Xe5 , Ye5 ← G p5 ; x, y, z ← Z∗N ; € Š y D = G , g1 , g2 , g3 , g4 , g5 , g2x Xe5 , g2 Ye5 ; xy

x y+z

T0 ← g2 ; T1 ← g2

.

Assumption 5 For any probabilistic polynomial time adversary A , the advantage function defined as follows are negligible in λ.     AdvSD3 A (λ) := Pr A (D, T0 ) = 1 − Pr A (D, T1 ) = 1 where

N , G, G T , e, p1 , . . . , p5 ← GrpGen(1λ ); G = N , G, G T , e ; g2 ← G p2 ; g3 ← G p3 ; g4 ← G p4 ; g5 ← G p5 ; X 1 X 5 ← G p1 p5 ; Y1 Y2 Y3 ← G p1 p2 p3 ;
D = G , g2 , g3 , g4 , g5 , X 1 X 5 , Y1 Y2 Y3 ; T0 ← G p2 p5 ; T1 ← G p1 p2 p5 . Assumption 6 For any probabilistic polynomial time adversary A , the advantage function defined as follows are negligible in λ.     AdvSD4 A (λ) := Pr A (D, T0 ) = 1 − Pr A (D, T1 ) = 1 where

N , G, G T , e, p1 , . . . , p5 ← GrpGen(1λ ); G = N , G, G T , e ; g1 ← G p1 ; g2 ← G p2 ; g5 ← G p5 ; X 2 X 3 X 4 ← G p2 p3 p4 ;
D ← G , g1 , g2 , g5 , X 2 X 3 X 4 ; T0 ← G p1 p2 p5 ; T1 ← G. To realize the One-sided Publicly Openability, we need G to be equipped with publicly reversible sampling [BWY11, FHKW10, LDL+ 14]. Formally, there exist two algorithms defined as follows. – SampleG () → G. The publicly reversible sampler takes no input and outputs a random element from group G with probability 1 − ζ or outputs a failure symbol ⊥ with probability ζ. In particular, for all G 0 ∈ G, we require that   Pr G = G 0 |G 6= ⊥ = 1/|G|, where the probability space is defined by random coins consumed by SampleG . 1 – Sample− G (G) → r. The public re-sampler takes an element G ∈ G as input and outputs random coins r with probability 1 − θ such that SampleG (; r) = G or outputs a failure symbol ⊥ with probability θ . In  particular, we require that, for all r 0 ∈ R G where R G := br : SampleG (; br ) = G ,

  Pr r = r 0 |r 6= ⊥ = 1/|R G |, 1 where the probability space is defined by random coins consumed by Sample− G .

Bellare, Waters, and Yilek [BWY11] had realized these two algorithms for bilinear group G with ζ ≈ 1/2ρ and θ ≈ 1/2ρ where ρ is an independent parameter, based on the technique for hashing into elliptic curve 1 groups [BLS01]. We will invoke SampleG and Sample− G as black box, their detailed specifications can be found in [BWY11].

12

Setup(1λ , n) G := (N , G, G T , e) ← GrpGen(1λ ) for i ∈ [5] do g i ← G pi v b := g1 g2 g3 v5 ← ZN ; G := g1 g55 ; G u, u5 ← ZN ; w, w5 ← Z2n N u w U := g1u g5 5 ; W := g1w g5 5 ;

b := g1 g2 g3 w b := g1 g2 g3 u ; W U
MPK := G , G, U, W, g 5 € Š b U, b g4 b W, MSK := G, return MPK, MSK

IdSp = {0, 1}n , MsgSp = {0, 1} KeyGen(MPK, MSK, ID) r, r4 , r40 ← ZN b r g r4 K := G € 4Qn Šr r 0 0 b b K := U W[2i − ID[i]] g44 i=1
return K, K 0

Enc(MPK, ID, M) if M = 0 then s, s5 , s€50 ← ZN Šs s Qn C := U i=1 W[2i − ID[i]] g55

Dec(MPK, SK, CT) if e(C, K) = e(C 0 , K 0 ) then return 0 else return 1

s0

C 0 := G s g55 else C, C 0 ← SampleG ()
return C, C 0

OpenToOne(MPK, ID, CT) 1 r ← Sample− G (C) 0 −1 r ← SampleG (C 0 )


return r, r0

Figure 7: Our Main Construction: IBE with 1SPO

4.2

Construction

Assuming a group generator GrpGen described in previous subsection, our main construction is shown in Figure 7, an IBE scheme with identity space IdSp = {0, 1}n and message space MsgSp = {0, 1} which is also equipped with algorithm OpenToOne for achieving One-Sided Publicly Openability.
The correctness of our construction is obvious. Fix an ID ∈ IdSp. For the case C, C 0 ∈ [Enc(MPK, ID, 0)], we have ! !s n Y s5 b r r4 e(C, K) = e U W[2i − ID[i]] g5 , G g4 

(u+

=

e g1

=

e

i=1 Pn

s0

i=1 w[2i− ID [i]]

G s g55 ,

b U

n Y

)s

, g1r

‹

 ‹ P (u+ ni=1 w[2i−ID[i]]) r = e g1s , g1 !r !

b W[2i − ID[i]]

r0

g44

= e(C 0 , K 0 ),

i=1


which means Pr [Dec(MPK, SK, Enc(MPK, ID, 0)) = 0] = 1. For the case C, C 0 ∈ [Enc(MPK, ID, 1)], we let C = g c 0 and C 0 = g c where c, c 0 ∈ ZN , and we have, with the probability space defined by sampling r, r4 , r40 , c, c 0 ← ZN ,

=

Pr [Dec(MPK, SK, Enc(MPK, ID, 1)) = 0]   Pr e(C, K) = e(C 0 , K 0 )  !r ! n Y € Š 0 0 r r br g 4 = e gc , U b b Pr e g c , G W[2i − ID[i]] g44  4

=

h € 
c
r r Š
c 0
u+P w[2i−ID[i]]) r r40 i Pr e g1 g2 g3 g4 , g1 g2 g3 g44 = e g1 g2 g3 g4 , g1 g2 g3 ( g4

¶

64/24λ

=

i=1

Therefore we conclude that Pr [Dec(MPK, SK, Enc(MPK, ID, 1)) = 1] ¾ 1 − 64/24λ . As [BWY11], algorithm OpenToOne indeed satisfies our requirement defined in Section 2 by the property 1 of algorithm SampleG and Sample− G shown in previous subsection. We remark that algorithm OpenToOne −1 runs SampleG twice independently and thus has failure probability δ ¶ 2θ .

4.3

Security Analysis

We prove the following theorem in this subsection. 13

Theorem 2 (Main Theorem) For any probabilistic polynomial time adversary A making Q K key extraction queries and Q C challenge queries, there exist adversaries B1 , B2 , B3 , B4 , B5 and B6 such that SD2 DDH1 AdvINDmCPA (λ) ¶ AdvSD1 A B1 (λ) + 2n · AdvB1 (λ) + (n + 1) · AdvB3 (λ) SD3 SD4 + AdvDDH2 B4 (λ) + AdvB5 (λ) + AdvB6 (λ) + 2ζ.

and maxi∈[6] Time(Bi ) ≈ Time(A ) + (Q C + Q K ) · poly(λ, n) where poly is independent of A . 4.3.1

Organization of Proof

Before we proceed, we define two functions for brevity: h(u, w, ID) := u +

n X

w[2i − ID[i]] and H(U, W, ID) := U ·

i=1

n Y

W[2i − ID[i]]

(1)

i=1

2n u w where ID ∈ {0, 1}n , u ∈ ZN , w ∈ Z2n N , U ∈ G, and W ∈ G . When we set U = g and W = g for some g ∈ G, we immediately have the following relation

H(U, W, ID) = g h(u,w,ID) .  We also need a family of random functions Ri (·) i∈{0}∪[n] defined as follows:

Ri (ID) : ID|i → ZN , ∀i ∈ {0} ∪ [n], where ID|i denotes the i-bit prefix of ID. We note that the Chinese Reminder Theorem implies that Ri (ID) mod b i and R e i , respectively, in [HKS15]. p2 and Ri (ID) mod p3 are distributed independently, which correspond to R Although the range of random functions is ZN , the actual working range is Ri (ID) mod p2 and Ri (ID) mod p3 corresponding to semi-functional space G p2 and G p3 , respectively. The proof follows hybrid arguments using a series of games, which can be roughly divided into four phases. We describe these games in a phase-by-phase fashion in Figure 8, Figure 9, Figure 10, Figure 11, respectively. In particular, we state that – In phase 1, we introduce semi-functional components (elements in G p2 ) into ciphertexts and introduce random function R0 into the system. – In phase 2, we increase the entropy of random function we have introduced following the method of Hofheinz et al.[HKS15]. In particular, by executing phase 2 for n times, we replace the initial random function R0 with Rn , whose output depends on all bits of ID. – In phase 3, we handle the multiple occurrences of a single identity in challenge ciphertexts as well as in secret keys. We finally argue that multiple ciphertexts for a single identity are computationally independent in semi-functional space and so do secret keys. The proof will also follows Hofheinz et al.’s idea for full security [HKS15]. – In phase 4, we show that all ciphertexts for M = 0 are computationally indistinguishable from those for M = 1, which is truly random following the method used in [DCIP10, BWY11]. The remaining of the section includes four parts corresponding to four phases in order. Each part begins with games involved and then proves a series of lemmas showing computational indistinguishability of these games. Putting them together, we immediately obtain the main theorem. In the proof, we define the advantage function of adversary A in Game x.x.x as ” — x.x.x AdvA (λ) := Pr Game x.x.x,A (λ) = 1 − 1/2 . 4.3.2

Phase 1: Prelude

All games used in Phase 1 is defined in Figure 8. Lemma 5 (Game0 ≈ Game1 ) For any probabilistic polynomial time adversary A making Q K key extraction queries and Q C challenge queries, there exists an adversary B such that Adv0 (λ) − Adv1 (λ) ¶ AdvSD1 (λ) A A B and Time(B) ≈ Time(A ) + (Q C + Q K ) · poly(λ, n) where poly is independent of A . 14

Initialize G := (N , G, G T , e) ← GrpGen(1λ ) for i ∈ [5] do g i ← G pi v5 ← ZN
v e := g1 g2 g v5 G := g1 g55 ; G 5

Game0 , Game1 , Game2.0 R0 : IdSp → ZN Challenge(ID∗ , M∗0 , M∗1 ) ∗

∈ ExID then return ⊥ ChID := ChID ∪ {ID∗ } if

b := g1 g2 g3 G u, u5 ← ZN ; w, w5 ← Z2n N u w U := g1u g5 5 ; W := g1w g5 5

e := g1 g2 w g w5 e := g1 g2 u g u5 ; W U 5 5

b := g1 g2 g3 w b := g1 g2 g3 u ; W U β ← {0, 1}
return G , G, U, W, g5

ID

if M∗β = 0 then s, s5 , s50 ← ZN s C := H(U, W, ID)s g55 s

e ID)s g 5 e W, C := H(U, 5 R (ID∗ )·s

C := g2 0

e ID)s g s5 e W, · H(U, 5

s0

C 0 := G s g55

Extract(ID) if ID ∈ ChID then return ⊥ ExID := ExID ∪ {ID} r, r4 , r40 ← ZN b r g r4 K := G 4 0 0 b ID) r g r4 b K := H(U, W, 4 0
R (ID)·r b ID) r g r4 b W, K 0 := g2 g3 0 · H(U, 4
return K, K 0

s0

es g 5 C 0 := G 5 else C, C 0 ← SampleG ()
return C, C 0 Finalize(β 0 ) return (β = β 0 )

Figure 8: Game0 , Game1 , Game2.0
Proof. Given G , g1 , g4 , g5 , X 1 X 2 X 3 , T where T is a random element of either G p1 or G p1 p2 , adversary B
x simulates the procedures as follows. We assume g2 ← G p2 , g3 ← G p3 and implicitly parse X 1 X 2 X 3 = g1 g2 g3
t for some x ∈ ZN , and either T = g1t or T = g1 g2 from some t ∈ ZN .
v e := g1 g2 · g v5 and G b := g1 g2 g3 . SamInitialize Sample v5 ← ZN and set G := g1 · g55 . We implicitly define G 5
u w 2n u w 5 5 e := g1 g2 u g u5 , ple u, u5 ← ZN , w, w5 ← ZN and set U := g1 g5 , W := g1 g5 . We implicitly define U 5
w w5
u
w e := g1 g2 g , U b := g1 g2 g3 . Randomly pick β ← {0, 1} and output MPK := b := g1 g2 g3 , W W
5 G , G, U, W, g5 . Extract(ID) Return ⊥ when

ID

∈ ChID. Update ExID := ExID ∪ {ID}. Sample r 0 , r4 , r40 ← ZN and set

K := X 1 X 2 X 3


r 0

r

· g44 and K 0 := X 1 X 2 X 3


h(u,w,ID)·r 0

r0

· g44 .


Output K, K 0 . Here we implicitly set r := x r 0 ∈ ZN . Challenge(ID∗ , M∗0 , M∗1 ) Return ⊥ when s0 , s500 , s5000 ← ZN and set

ID

∗

∈ ExID. Update ChID := ChID ∪ {ID∗ }. If s00

∗

Mβ

= 0, sample

s000

C := T h(u,w,ID)·s · g55 and C 0 := T s · g55 .
If M∗β = 1, sample C, C 0 ← SampleG (). Output C, C 0 . Here we implicitly set s ∈ ZN such that s = ts0 mod p1 p2 . 0

0

Finalize(β 0 ) Output (β = β 0 ). The algorithm B outputs 1 if and only if Finalize(β 0 ) = 1, i.e., the adversary A wins the game.
t Observe that if T = g1t ∈ G p1 , the simulation described above is identical to Game0 ; if T = g1 g2 ∈ G p1 p2 , the simulation is identical to Game1 . Therefore we can conclude that Adv0A (λ) − Adv1A (λ) ¶ AdvSD1 B (λ). ƒ Lemma 6 (Game1 = Game2.0 ) For any adversary A , we have Adv1A (λ) = Adv2.0 A (λ). Proof. Since random function R0 (·) is consistent on all possible identities in IdSp, R0 (ID) for all ID ∈ IdSp is a single random variable independently distributed over ZN . If we sample u0 ← ZN and set, in Initialize procedure in Game1 ,
0

0 0 u e := g1 g2 u g R0 g u5 and U b := g1 g2 g3 u g2 g3 R0 , U := g1u g5 5 and U 5 2 15

the resulting game remains unchanged, since we in fact implicitly define u = u0 mod p1 and u = u0 + R0 mod p2 p3 , which is still distributed over ZN as we required in Game1 . Observe that the simulation is also identical to e and U b in Initialize procedure. However we note that the Game2.0 with u = u0 except the definition of U e and U b are not given to adversary in MPK. Therefore we can conclude difference is just conceptual as both U that Game1 and Game2.0 are statistically identical. ƒ 4.3.3

Phase 2: From R0 to Rn

All games used in Phase 2 is defined in Figure 9. Initialize G := (N , G, G T , e) ← GrpGen(1λ , 5) for i ∈ [5] do g i ← G pi v v5 ← ZN ; G := g1 g55

e := g1 g2 g v5 ; G := g1 g3 g v5 G 5 5

Game2.i , Game2.i.1 , Game2.i.2 Ri : IdSp → ZN Challenge(ID∗ , M∗0 , M∗1 ) ∗

∈ ExID then return ⊥ ChID := ChID ∪ {ID∗ } if M∗β = 0 and ID∗ [i + 1] = 0 then s, s5 , s50 ← ZN ; R (ID∗ )·s e ID∗ )s g s5 e W, C := g2 i · H(U, 5 if

b := g1 g2 g3 G u, u5 ← ZN ; w, w5 ← Z2n N u w U := g1u g5 5 ; W := g1w g5 5

e := g1 g2 w g w5 e := g1 g2 u g u5 ; W U 5 5
u u
w w U := g1 g3 g5 5 ; W := g1 g3 g5 5

b := g1 g2 g3 w b := g1 g2 g3 u ; W U β ← {0, 1}
return G , G, U, W, g5

ID

R

C := g2 i+1

(ID∗ )·s

s

e ID∗ )s g 5 e W, · H(U, 5

0

e s g s5 C0 = G 5 elif M∗β = 0 and ID∗ [i + 1] = 1 then s, s5 , s50 ← ZN R (ID∗ )·s e ID∗ )s g s5 e W, · H(U, C := g2 i 5

Extract(ID) if ID ∈ ChID then return ⊥ ExID := ExID ∪ {ID} r, r4 , r40 ← ZN b r g r4 K := G 4 0
R (ID)·r b ID) r g r4 b W, K 0 := g2 g3 i · H(U, 4 0
R (ID)·r b ID) r g r4 b W, K 0 := g2 g3 i+1 · H(U, 4
return K, K 0

R (ID∗ )·s

C := g3 i R

C := g3 i+1

s

· H(U, W, ID∗ )s g55

(ID∗ )·s

s

· H(U, W, ID∗ )s g55

0

e s g s5 C 0 := G 5 s

s0

C 0 := G g55 else C, C 0 ← SampleG ()
return C, C 0

Finalize(β 0 ) return (β = β 0 )

Figure 9: Game2.i (i ∈ [0, n]), Game2.i.1 (i ∈ [0, n − 1]), Game2.i.2 (i ∈ [0, n − 1]) Lemma 7 (Game2.i ≈ Game2.i.1 ) For any probabilistic polynomial time adversary A making Q K key extraction queries and Q C challenge queries, there exists an adversary B such that Adv2.i (λ) − Adv2.i.1 (λ) ¶ AdvSD2 (λ) A A B and Time(B) ≈ Time(A ) + (Q C + Q K ) · poly(λ, n) where poly is independent of A .
Proof. Given G , g1 , g4 , g5 , X 2 X 5 , Y2 Y3 , T where T is a random element of either G p2 p5 or G p3 p5 , adversary B
x simulates the procedures as follows. We assume g2 ← G p2 , g3 ← G p3 and implicitly parse X 2 X 5 = g2 g5 for
y
t
t some x ∈ ZN , Y2 Y3 = g2 g3 for some y ∈ ZN and either T = g2 g5 or T = g3 g5 for some t ∈ ZN .

v e := g1 g2 g v5 , G := g1 g3 g v5 and Initialize Sample v5 ← ZN and set G := g1 g55 . We implicitly define G 5 5 b := g1 g2 g3 . Sample u, u5 ← ZN and w, w5 ← Z2n , and set U := g u g u5 and W := g w g w5 . We implicitly G 5 5 N 1 1




e := g1 g2 w g w5 , U := g1 g3 u g u5 , W := g1 g3 w g w5 , U b := g1 g2 g3 u and e := g1 g2 u g u5 , W define U 5 5 5 5

w b := g1 g2 g3 . Randomly pick β ← {0, 1} and output MPK := G , G, U, W, g5 . B also maintains a W random function Ri (·) in an on-the-fly manner. 16

Extract(ID) Return ⊥ when

ID

∈ ChID. Update ExID := ExID ∪ {ID}. Sample r 0 , r 00 , r4 , r40 ← ZN and set


R (ID)+h(u,w,ID))·r 00 r40
r 00 r4 0 h(u,w,ID)·r 0 · Y2 Y3 ( i · g4 . · g4 and K 0 := g1 K := g1r · Y2 Y3
Output K, K 0 . Here we implicitly set r ∈ ZN such that r = r 0 mod p1 and r = y r 00 mod p2 p3 . Challenge(ID∗ , M∗0 , M∗1 ) Return ⊥ when ID∗ ∈ ExID. Update ChID := ChID ∪{ID∗ }. If M∗β = 0 and ID∗ [i +1] = 0, sample s0 , s00 , s500 , s5000 ← ZN and set h(u,w,ID∗ )·s0

C := g1


s00 s000
R (ID∗ )+h(u,w,ID∗ ))·s00 s500 0 · X2X5 ( i · g5 and C 0 := g1s · X 2 X 5 · g55 .

Here we implicitly set s ∈ ZN such that s = s0 mod p1 and s = xs00 mod p2 . If sample s0 , s00 , s500 , s5000 ← ZN and set h(u,w,ID∗ )·s0

C := g1

· T (Ri (ID

∗

)+h(u,w,ID∗ ))·s00

s00

∗

Mβ

0

= 0 and

00

ID

∗

[i + 1] = 1,

s000

· g55 and C 0 := g1s · T s · g55 .

Here we implicitly set s ∈ ZN such that s = s0 mod p1 , and s = ts00 mod p2 p3 . Finally, if
C, C 0 ← SampleG (). Output C, C 0 .

∗

Mβ

= 1, sample

Finalize(β 0 ) Output (β = β 0 ). The algorithm B outputs 1 if and only if Finalize(β 0 ) = 1, i.e., the adversary A wins the game.
t
t Observe that if T = g2 g5 ∈ G p2 p5 , the simulation described above is identical to Game2.i ; if T = g3 g5 , 2.i.1 SD2 the simulation is identical to Game2.i.1 . Therefore we can conclude that Adv2.i A (λ) − AdvA (λ) ¶ AdvB (λ). ƒ Lemma 8 (Game2.i.1 ≈ Game2.i.2 ) For any probabilistic polynomial time adversary A making Q K key extraction queries and Q C challenge queries, there exists an adversary B such that Adv2.i.1 (λ) − Adv2.i.2 (λ) ¶ AdvDDH1 (λ) B A A and Time(B) ≈ Time(A ) + (Q C + Q K ) · poly(λ, n) where poly is independent of A . € Š € x y x y Š € x y+z x y+z Š y y Proof. Given G , g1 , g2 , g3 , g4 , g5 , g2x Xe4 , g2 Ye4 , g3x X 4 , g3 Y 4 , T where T is either g2 , g3 or g2 , g3 , adversary B generates Q K tuples (using Many Tuple Lemma [CW13]) € xj Š x g2 Xe4, j , g3 j X 4, j , T j , ∀ j ∈ [Q K ]  x y+z x y+z  € x y x yŠ or g2 j j , g3 j j for x j , z j ← ZN , and then simulates where Xe4, j , X 4, j ← G p4 and T j is either g2 j , g3 j the procedures as follows.

v e := g1 g2 g v5 , G := g1 g3 g v5 and G b := g1 g2 g3 . Sample Initialize Sample v5 ← ZN and set G := g1 g55 , G 5 5


u u5 u u5 u u5 e b := g1 g2 g3 u . Sample u, u5 ← ZN and set U := g1 g5 , U := g1 g2 g5 , U := g1 g3 g5 and U w0 w5 w0 , w5 ← Z2n N and set W := g 1 g 5 . We implicitly define
w0


0 w b := g1 g2 g3 w g ye2(i+1)−1 g ye2(i+1)−0 . g5 5 and W 3 2
Randomly pick β ← {0, 1} and output MPK := G , G, U, W, g5 . Note that we implicitly set w ∈ Z2n N such that w = w0 mod p1 and w = w0 + ye2(i+1)−1 mod p2 and w = w0 + ye2(i+1)−0 mod p3 , e := g1 g2 W

ye2(i+1)−1

g2

w

g5 5 and W := g1 g3


w0

ye2(i+1)−0

g3

e and note that neither W[2(i + 1) − 1] nor W[2(i + 1) − 0] is known to B. Besides that, B also maintains a random function Ri (·) in an on-the-fly manner. Extract(ID) Return ⊥ when ID ∈ ChID. Update ExID := ExID ∪ {ID}. If Ri (ID) has not been used before, sample r 0 , r400 , r4000 ← ZN and set K

K

0

:=

:=

g1 g2 g3 

Š € x Š r 00
r 0 € x j · g2 Xe4, j · g3 j X 4, j · g44

€ Š0 000  g −Ri (ID)·r 0 · K Ri (ID)+h(u,w0 ,ID) · g y Y r · T [2] · g r4 , j 4 1 3 4 € Š0 000  g −Ri (ID)·r 0 · K Ri (ID)+h(u,w0 ,ID) · g y Ye r · T [1] · g r4 , 1

2

17

4

j

4

if

ID [i

+ 1] = 0

if

ID [i

+ 1] = 1

where T j [1] and T j [2] refers to the first and second entry of T j , respectively. Here we implicitly set
r ∈ ZN such that r = r 0 mod p1 and r = r 0 + x j mod p2 p3 . Output K, K 0 . On the other hand, if Ri (ID) has been touched, we find out the index j and random coins r 0 , r400 , r4000 used at the first time Ri (ID) was
met, and create K, K 0 using the old index and these € random coins Š but with the new ID following the 00 00 above method. Then we sample r 00 ← ZN and output K r , (K 0 ) r as reply to the query. In this case, Š € we implicitly set r such that r = r 0 r 00 mod p1 and r = r 0 + x j r 00 mod p2 p3 . Challenge(ID∗ , M∗0 , M∗1 ) Return ⊥ when ID∗ ∈ ExID. Update ChID := ChID ∪{ID∗ }. If M∗β = 0 and ID∗ [i +1] = 0, sample s, s5 , s50 ← ZN and set R (ID∗ )·s

C := g2 i

0

e s · g s5 . e ID∗ )s · g s5 and C 0 := G e W, · H(U, 5 5

e Note that we do not need W[2(i + 1) − 1] which is unknown. If s, s5 , s50 ← ZN and set R (ID∗ )·s

C := g3 i

∗

Mβ

= 0 and

ID

∗

[i + 1] = 1, sample

s0

s

es · g 5 . · H(U, W, ID∗ )s · g55 and C 0 := G 5

Note that we do not need W[2(i + 1) − 0] which is unknown. In a word, even though B does not know e and W, it still can compute ciphertext for M∗ = 0 as usual. Finally, if M∗ = 1, sample all elements in W β β
0 C, C ← SampleG (). Output C, C 0 . Finalize(β 0 ) Output (β = β 0 ). 0 The algorithm B outputs € x j y 1x jify Šand only if Finalize(β ) = 1, i.e., the adversary A wins. Clearly, if T j = g2 , g3 for all j ∈ [q], the simulation described above is identical to Game2.i.1 . On the  x y+z x y+z  j j j j other hand, if T j = g2 , g3 for all j ∈ [q], we implicitly set

¨

Ri+1 (ID) :=

Ri (ID) mod p2 , if Ri (ID) + z j /(r 0 + x j ) mod p2 , if ¨

Ri+1 (ID) :=

ID [i ID [i

Ri (ID) + z j /(r 0 + x j ) mod p3 , if Ri (ID) mod p3 , if

+ 1] = 0 + 1] = 1

ID [i ID [i

and

+ 1] = 0 + 1] = 1

where index j ∈ [q] and index r 0 ∈ ZN were selected at the first time Ri (ID) was met in the simulation. There- 2.i.1 fore the simulation in this case is identical to Game2.i.2 . Therefore we can conclude that AdvA (λ) − Adv2.i.2 A (λ) ¶ DDH1 AdvB (λ). ƒ Lemma 9 (Game2.i.2 ≈ Game2.(i+1) ) For any probabilistic polynomial time adversary A making Q K key extraction queries and Q C challenge queries, there exists an adversary B such that 2.(i+1) (λ) − Adv (λ) Adv2.i.2 ¶ AdvSD2 A A B (λ) and Time(B) ≈ Time(A ) + (Q C + Q K ) · poly(λ, n) where poly is independent of A . Proof. The proof is almost the same as the proof for Lemma 7. The only difference is to employ the highentropy random function Ri+1 instead of the low-entroy Ri in the simulation. ƒ 4.3.4

Phase 3: Handling multi-ciphertexts, multi-keys setting

All games used in Phase 3 is defined in Figure 10. Lemma 10 (Game2.n ≈ Game3 ) For any probabilistic polynomial time adversary A making Q K key extraction queries and Q C challenge queries, there exists an adversary B such that Adv2.n (λ) − Adv3 (λ) ¶ AdvDDH2 (λ) A A B and Time(B) ≈ Time(A ) + (Q C + Q K ) · poly(λ, n) where poly is independent of A . € Š y xy x y+z Proof. Given G , g1 , g2 , g3 , g4 , g5 , g2x Xe5 , g2 Ye5 , T where T is either g2 or g2 , adversary B generates Q C tuples (using Many Tuple Lemma [CW13]) € xj Š g2 Xe5, j , T j , ∀ j ∈ [Q C ] x y x y+z where Xe5, j ← G p5 and T j is either g2 j or g2 j j for x j , z j ← ZN , and then simulates the procedures as follows.

18

Initialize G := (N , G, G T , e) ← GrpGen(1λ ) for i ∈ [5] do g i ← G pi v v5 ← ZN ; G := g1 g55
v5 e := g1 g2 g ; G e := ⊥ G 5

Game2.n , Game3 , Game4 , Game5 Rn : IdSp → ZN

b := g1 g2 g3 ; G b := g1 G u, u5 ← ZN ; w, w5 ← Z2n N u w U := g1u g5 5 ; W := g1w g5 5

e := g1 g2 w g w5 e := g1 g2 u g u5 ; W U 5 5 e := ⊥ e := ⊥; W U

b := g1 g2 g3 w b := g1 g2 g3 u ; W U

Challenge(ID∗ , M∗0 , M∗1 ) ∗

∈ ExID then return ⊥ ChID := ChID ∪ {ID∗ } if

ID

if M∗β = 0 then s, s5 , s50 ← ZN s 0 ← ZN ;

s00 ← ZN

R (ID )·s

b := g w b := g u ; W U 1 1

∗

C := g2 n

β ← {0, 1}
return G , G, U, W, g5

s

e ID)s g 5 e W, · H(U, 5

0

e ID)s g s5 e W, C := g2s · H(U, 5 0

s

C := g2s · H(U, W, ID)s g55

Extract(ID) if ID ∈ ChID then return ⊥ ExID := ExID ∪ {ID}

s0

es g 5 C 0 := G 5 00

s0

C 0 := g2s · G s g55

r, r4 , r40 ← ZN ; r 0 ← ZN ; r 00 ← ZN b r g r4 K := G 4
r 00 b r g r4 K := g2 g3 ·G 4 0
Rn (ID)·r 0 b ID) r g r4 b W, K := g2 g3 · H(U, 4 0
r 0 b ID) r g r4 b W, K 0 := g2 g3 · H(U, 4

else C, C 0 ← SampleG ()
return C, C 0 Finalize(β 0 ) return (β = β 0 )

Figure 10: Game2.n , Game3 , Game4 , Game5
v e := g1 g2 g v5 and G b := g1 g2 g3 . Sample u, u5 ← ZN and Initialize Sample v5 ← ZN and set G := g1 g55 , G 5


u u5 u u5 w w5 e e := g1 g2 w g w5 , U b := g1 g2 g3 u w, w5 ← Z2n , and set U := g g , W := g g , U := g g g ,W 1 2 5 5 5 5 N 1 1

b := g1 g2 g3 w . Randomly pick β ← {0, 1} and output MPK := G , G, U, W, g5 . Besides that, B and W also maintains a random function Rn (·) in an on-the-fly manner. Extract(ID) Return ⊥ when

ID

∈ ChID. Update ExID := ExID ∪ {ID}. Sample r, r4 , r40 ← ZN and set r

b r g 4 and K 0 := g2 g3 K := G 4


Rn (ID)·r

r0

b ID) r g 4 b W, · H(U, 4


Output K, K 0 . Challenge(ID∗ , M∗0 , M∗1 ) Return ⊥ when ID∗ ∈ ExID. Update ChID := ChID ∪ {ID∗ }. We maintain another independent random function R0 : IdSp → ZN whose output depends on all bits of ID. If M∗β = 0, pick a new j ∈ [q], sample s0 , s500 , s5000 ← ZN and set h(u,w,ID∗ )s0

C := g1

€ x Šh(u,w,ID∗ ) R0 (ID∗ ) s00 € x Š s000 0 · g2 j Xe5, j · Tj · g55 and C 0 := g1s · g2 j Xe5, j · g55 .

Here we implicitly set s ∈ ZN such that s = s0 mod p1 , s = x j mod p2 and Rn (ID∗ ) = y · R0 (ID∗ ) mod p2 for ∗ ID ∈ ChID. We note that the assignment for Rn is always consistent since the simulation ensures that
ExID ∩ ChID = ;. If M∗β = 1, sample C, C 0 ← SampleG (). Output C, C 0 . Finalize(β 0 ) Output (β = β 0 ). The algorithm B outputs 1 if and only if Finalize(β 0 ) = 1, i.e., the adversary A wins the game. x y Observe that if T j = g2 j for all j ∈ [q], the simulation described above is identical to Game2.n . On x y+z

the other hand, if T j = g2 j j for all j ∈ [q], the simulation is identical to Game 3 where we implicitly set 3 ¶ AdvDDH2 (λ). s0 = R0 (ID) · (x j y + z j ). Therefore we can conclude that Adv2.n (λ) − Adv (λ) ƒ A A B

19

Lemma 11 (Game3 ≈ Game4 ) For any probabilistic polynomial time adversary A making Q K key extraction queries and Q C challenge queries, there exists an adversary B such that Adv3 (λ) − Adv4 (λ) ¶ AdvDDH1 (λ) A A B and Time(B) ≈ Time(A ) + (Q C + Q K ) · poly(λ, n) where poly is independent of A . Š € x y x y Š € x y+z x y+z Š € y y , , g3 Proof. Given G , g1 , g2 , g3 , g4 , g5 , g2x Xe4 , g2 Ye4 , g3x X 4 , g3 Y 4 , T where T is either g2 , g3 or g2 adversary B generates a shared term and Q K tuples (using Many Tuple Lemma [CW13]) Š €
x
y g2 g3 j X 4, j , T j , ∀ j ∈ [Q K ] g2 g3 Y4 and where Y4 , X 4, j ← G p4 and T j is either procedures as follows.

g2 g3


x j y

or

g2 g3


x j y+z j

for x j , z j ← ZN , and then simulates the


v e := g1 g2 g v5 and G b := g1 g2 g3 . Sample u, u5 ← ZN and Initialize Sample v5 ← ZN and set G := g1 g55 , G 5


w w5 u u5 u u5 w w5 e e b := g1 g2 g3 u g5 , U g w, w5 ← Z2n , and set U := g g , W := g g , U := g g 1 2 5 , W := g 1 g 2 N 1 5 1 5

w b := g1 g2 g3 . Randomly pick β ← {0, 1} and output MPK := G , G, U, W, g5 . and W Extract(ID) Return ⊥ when ID ∈ ChID. Update ExID := ExID ∪ {ID}. We maintain a random function R0 : IdSp → ZN whose output depends on all bits of ID. Pick a new j ∈ [q], sample r 0 , r400 , r4000 ← ZN and set 0

K := g1r ·

€

g2 g3


x j

Šh(u,w,ID) R0 (ID) r 000 € Š r 00
x h(u,w,ID)r 0 · Tj · g44 · g2 g3 j X 4, j X 4, j · g44 and K 0 := g1

Here we implicitly set r ∈ ZN such that r = r 0 mod p1 , r = x j mod p2 p3 and define Rn (ID) = y · R0 (ID) mod p2 p3 for ID ∈ ExID. We note that the assignment for Rn is consistent since ExID ∩ ChID = ;. Challenge(ID∗ , M∗0 , M∗1 ) Return ⊥ when s, s0 , s5 , s50 ← ZN and set

ID

∗

∈ ExID. Update ChID := ChID ∪ {ID∗ }. If

0

If

∗

Mβ

∗

Mβ

= 0, sample

s0

s

es · g 5 . e ID∗ )s · g 5 and C 0 := G e W, C := g2s · H(U, 5 5
0 0 = 1, sample C, C ← SampleG (). Output C, C .

Finalize(β 0 ) Output (β = β 0 ). 0 The algorithm B outputs € x j y 1xifj y and Š only if Finalize(β ) = 1, i.e., the adversary A wins the game. Clearly, if T j = g2 , g3 for all j ∈ [q], the simulation described above is identical to Game3 . On the  x y+z x y+z  j j j j , g3 for all j ∈ [q], the simulation is identical to Game4 where we implicitly other hand, if T j = g2 0 0 ƒ set r = R (ID) · (x y + z ). Therefore we can conclude that Adv3 (λ) − Adv4 (λ) ¶ AdvDDH1 (λ). j

j

A

A

B

Lemma 12 (Game4 = Game5 ) For any adversary A , Adv4A (λ) = Adv5A (λ). Proof. The transformation from Game4 to Game5 is just conceptual following the Chinese Remainder Theorem. In both games, the G p2 p3 -parts of K and K 0 are independent, and so do the G p2 -part of C and C 0 . Of course, the G p1 -parts of them are still structural. ƒ 4.3.5

Phase 4: Epilogue

All games used in Phase 4 is defined in Figure 11. Lemma 13 (Game5 ≈ Game6 ) For any probabilistic polynomial time adversary A making Q K key extraction queries and Q C challenge queries, there exists an adversary B such that Adv5 (λ) − Adv6 (λ) ¶ AdvSD3 (λ) A A B and Time(B) ≈ Time(A ) + (Q C + Q K ) · poly(λ, n) where poly is independent of A .
Proof. Given G , g2 , g3 , g4 , g5 , X 1 X 5 , Y1 Y2 Y3 , T where T is a random element of either G p2 p5 or G p1 p2 p5 , adversary B simulates the procedures as follows. We implicitly set g1 = X 1 and parse X 1 X 5 = g1 g5x from some
y
t
t x ∈ ZN , Y1 Y2 Y3 = g1 g2 g3 for some y ← ZN and either T = g2 g5 or T = g1 g2 g5 for some t ← ZN .

20

Game5 , Game6 , Initialize G := (N , G, G T , e) ← GrpGen(1λ ) for i ∈ [5] do g i ← G pi v b := g1 v5 ← ZN ; G := g1 g55 ; G u, u5 ← ZN ; w, w5 ← Z2n N u w U := g1u g5 5 ; W := g1w g5 5 b := g w b := g u ; W U 1 1 β ← {0, 1}
return G , G, U, W, g5

Game7 , GameFin Challenge(ID∗ , M∗0 , M∗1 ) ∗

∈ ExID then return ⊥ ChID := ChID ∪ {ID∗ } if

ID

if M∗β = 0 then s, s0 , s00 , s5 , s50 ← ZN 0 s C := H(U, W, ID)s · g2s g55 00

s0

C 0 := G s · g2s g55 C, C 0 ← G p1 p2 p5

Extract(ID) if ID ∈ ChID then return ⊥ ExID := ExID ∪ {ID} r, r 0 , r 00 , r4 , r40 ← ZN
00 b r · g2 g3 r g r4 K := G 4
0 0 b ID) r · g2 g3 r g r4 b W, K 0 := H(U, 4
return K, K 0

C, C 0 ← G C, C 0 ← SampleG () else C, C 0 ← SampleG ()
return C, C 0 Finalize(β 0 ) return (β = β 0 )

Figure 11: Game5 , Game6 , Game7
u u05 Initialize Set G := X 1 X 5 . Sample u, u05 ← ZN and w, w05 ← Z2n g5 and W := N , and set U := X 1 X 5
w w05 u w b := g1 , U b := g . Randomly pick β ← {0, 1} and b := g and W X 1 X 5 g5 . We implicitly define G 1 1
output MPK := G , G, U, W, g5 . Extract(ID) Return ⊥ when

ID

∈ ChID. Update ExID := ExID ∪ {ID}. Sample br , br 0 , br 00 , r4 , r40 ← ZN and set

K := Y1 Y2 Y3


br

· g2 g3


br 00

r

g44 and K 0 := Y1 Y2 Y3


h(u,w,ID)·br

· g2 g3


br 0

r0

· g44 .


Output K, K 0 . Here we implicitly set r = ybr . Challenge(ID∗ , M∗0 , M∗1 ) Return ⊥ when ID∗ ∈ ExID. Update ChID := ChID ∪ {ID∗ }. If M∗β = 0, sample s, t 0 , t 00 ← ZN and set 0 00 C := H(U, W, ID∗ )s · T t and C 0 = G s · T t .
If M∗β = 1, sample C, C 0 ← SampleG (). Output C, C 0 . Finalize(β 0 ) Output (β = β 0 ). The algorithm B outputs 1 if and only if Finalize(β 0 ) = 1, i.e., the adversary A wins the game.
t Observe that if T = g2 g5 ∈ G p2 p5 , the simulation described above is identical to Game5 ; if T =
t 0 g1 g2 g5 , the simulation is identical to Game6 where the G p1 -parts of C and C 0 are hidden by g1t t and 00 g1t t , respectively. Therefore we can conclude that Adv5A (λ) − Adv6A (λ) ¶ AdvSD3 ƒ B (λ). Lemma 14 (Game6 ≈ Game7 ) For any probabilistic polynomial time adversary A making Q K key extraction queries and Q C challenge queries, there exists an adversary B such that Adv6 (λ) − Adv7 (λ) ¶ AdvSD4 (λ) A A B and Time(B) ≈ Time(A ) + (Q C + Q K ) · poly(λ, n) where poly is independent of A .
Proof. Given G , g1 , g2 , g5 , X 2 X 3 X 4 , T where T is a random element of either G p1 p2 p5 or G, adversary B
x simulates the procedures as follows. We implicitly parse X 2 X 3 X 4 = g2 g3 g4 for some x ∈ ZN and either
t T = g1 g2 g5 or T = g t for some t ∈ ZN .

21

v b := g1 . Sample u, u5 ← ZN and w, w5 ← Z2n , and Initialize Sample v5 ← ZN and set G := g1 g55 and G N u u5 w w5 b u b set U := g1 g5 , W := g1 g5 , U := g1 and W := g1w . Randomly pick β ← {0, 1} and output MPK :=
G , G, U, W, g5 .

Extract(ID) Return ⊥ when

ID

∈ ChID. Update ExID := ExID ∪ {ID}. Sample r, r 0 , r 00 ← ZN and set

br · X2X3X4 K := G


r 0

b ID) r · X 2 X 3 X 4 b W, and K 0 := H(U,


r 00

.


Output K, K 0 . Challenge(ID∗ , M∗0 , M∗1 ) Return ⊥ when ZN and set If

∗

Mβ

ID

∗

∈ ExID. Update ChID := ChID ∪ {ID∗ }. If 0

∗

Mβ

= 0, sample t 0 , t 00 ←

00

C := T t and C 0 := T t .
= 1, sample C, C 0 ← SampleG (). Output C, C 0 .

Finalize(β 0 ) Output (β = β 0 ). The algorithm B outputs 1 if and only if Finalize(β 0 ) = 1, i.e., the adversary A wins game.
t Observe that if T = g1 g2 g5 ∈ G p1 p2 p5 , the simulation described above is identical to Game6 ; if T = g t , the simulation is identical to Game7 . Therefore we can conclude that Adv6A (λ) − Adv7A (λ) ¶ AdvSD4 B (λ). ƒ Lemma 15 (Game7 ≈ GameFin ) For adversary A , Adv7A (λ) − AdvFin A (λ) ¶ 2ζ. Proof. These two games are exactly the same until publicly reversible sampler SampleG outputs ⊥ when encrypting message 0 in GameFin . Clearly we can bound the probability of this event by 2ζ where ζ is the ¶ 2ζ. (λ) ƒ error probability of SampleG . Therefore we can conclude that Adv7A (λ) − AdvFin A Final Analysis. In the last game GameFin , ciphertexts for message 0 and 1 are produced following the same procedure, i.e., invoking SampleG () twice. Therefore we have AdvFin A (λ) = 0 for any adversary A . Combining all lemmas above together, we have proved the main theorem.

5

Conclusion

The paper proposed the first identity based encryption scheme secure against selective opening attack with almost-tight security reduction. The work applied Hofheinz et al.’s recent technique for almost-tight secure IBE in the multi-ciphertext setting to Bellare et al.’s framework for reaching selective opening security from standard IND-CPA security in the IBE setting. The resulting construction works with bilinear groups whose order is the product of five distinct prime numbers. Acknowledgement. We want to thank Zhengan Huang for useful suggestion. This work is supported by the National Natural Science Foundation of China (Grant Nos. 61321064, 61371083, 61373154, 61411146001, and 61472142), the Specialized Research Fund for the Doctoral Program of Higher Education of China through the Prioritized Development Projects under Grant 20130073130004, and Science and Technology Commission of Shanghai Municipality (Grant Nos. 14YF1404200, 13JC1403500).

References [AHY15]

Nuttapong Attrapadung, Goichiro Hanaoka, and Shota Yamada. A framework for identity-based encryption with almost tight security. IACR Cryptology ePrint Archive, 2015. 4, 5

[Att14]

Nuttapong Attrapadung. Dual system encryption via doubly selective security: Framework, fully secure functional encryption for regular languages, and more. In Advances in Cryptology– EUROCRYPT 2014, pages 557–577. Springer, 2014. 5

[BB04a]

Dan Boneh and Xavier Boyen. Efficient selective-id secure identity-based encryption without random oracles. In Advances in Cryptology - EUROCRYPT 2004, pages 223–238, 2004. 5

[BB04b]

Dan Boneh and Xavier Boyen. Secure identity based encryption without random oracles. In Advances in Cryptology - CRYPTO 2004, pages 443–459, 2004. 5 22

[BF01]

Dan Boneh and Matt Franklin. Identity-based encryption from the weil pairing. In Advances in Cryptology-CRYPTO 2001, pages 213–229. Springer, 2001. 2, 5, 7

[BGN05]

Dan Boneh, Eu-Jin Goh, and Kobbi Nissim. Evaluating 2-dnf formulas on ciphertexts. In Theory of cryptography, pages 325–341. Springer, 2005. 11

[BHY09]

Mihir Bellare, Dennis Hofheinz, and Scott Yilek. Possibility and impossibility results for encryption and commitment secure under selective opening. In Advances in Cryptology-EUROCRYPT 2009, pages 1–35. Springer, 2009. 5, 7

[BKP14]

Olivier Blazy, Eike Kiltz, and Jiaxin Pan. (hierarchical) identity-based encryption from affine message authentication. In Advances in Cryptology–CRYPTO 2014, pages 408–425. Springer, 2014. 5

[BLS01]

Dan Boneh, Ben Lynn, and Hovav Shacham. Short signatures from the weil pairing. In Advances in Cryptology-ASIACRYPT 2001, pages 514–532. Springer, 2001. 12

[BR06]

Mihir Bellare and Phillip Rogaway. The security of triple encryption and a framework for codebased game-playing proofs. In Advances in Cryptology-EUROCRYPT 2006, pages 409–426. Springer, 2006. 6

[BW06]

Xavier Boyen and Brent Waters. Anonymous hierarchical identity-based encryption (without random oracles). In Advances in Cryptology-CRYPTO 2006, pages 290–307. Springer, 2006. 2

[BWY11]

Mihir Bellare, Brent Waters, and Scott Yilek. Identity-based encryption secure against selective opening attack. In Theory of Cryptography, pages 235–252. Springer, 2011. 2, 3, 4, 5, 6, 7, 8, 11, 12, 13, 14

[CDNO97] Rein Canetti, Cynthia Dwork, Moni Naor, and Rafail Ostrovsky. Deniable encryption. In Advances in Cryptology-CRYPTO’97, pages 90–104. Springer, 1997. 2, 3, 8 [CGW15]

Jie Chen, Romain Gay, and Hoeteck Wee. Improved dual system abe in prime-order groups via predicate encodings. In Advances in Cryptology-EUROCRYPT 2015, pages 595–624. Springer, 2015. 5

[CLL+ 13]

Jie Chen, Hoon Wei Lim, San Ling, Huaxiong Wang, and Hoeteck Wee. Shorter ibe and signatures via asymmetric pairings. In Pairing-Based Cryptography–Pairing 2012, pages 122–140. Springer, 2013. 5

[CW13]

Jie Chen and Hoeteck Wee. Fully,(almost) tightly secure ibe and dual system groups. In Advances in Cryptology–CRYPTO 2013, pages 435–460. Springer, 2013. 3, 4, 5, 11, 17, 18, 20

[DCIP10]

Angelo De Caro, Vincenzo Iovino, and Giuseppe Persiano. Fully secure anonymous hibe and secret-key anonymous ibe with short ciphertexts. In Pairing-Based Cryptography-Pairing 2010, pages 347–366. Springer, 2010. 2, 3, 4, 11, 14

[FHKW10] Serge Fehr, Dennis Hofheinz, Eike Kiltz, and Hoeteck Wee. Encryption schemes secure against chosen-ciphertext selective opening attacks. In Advances in Cryptology–EUROCRYPT 2010, pages 381–402. Springer, 2010. 5, 12 [GCD+ 15] Junqing Gong, Jie Chen, Xiaolei Dong, Zhenfu Cao, and Shaohua Tang. Extended nested dual system groups, revisited. IACR Cryptology ePrint Archive, 2015. 5 [Gen06]

Craig Gentry. Practical identity-based encryption without random oracles. In Advances in Cryptology - EUROCRYPT 2006, pages 445–464, 2006. 5

[HJKS15] Felix Heuer, Tibor Jager, Eike Kiltz, and Sven Schäge. On the selective opening security of practical public-key encryption schemes. In Public-Key Cryptography–PKC 2015, pages 27–51. Springer, 2015. 5 [HKS15]

Dennis Hofheinz, Jessica Koch, and Christoph Striecks. Identity-based encryption with (almost) tight security in the multi-instance, multi-ciphertext setting. In Public-Key Cryptography–PKC 2015, pages 799–822. Springer, 2015. 2, 5, 7, 11, 14

23

[HLL+ 15] Jingnan He, Bao Li, Xianhui Lu, Dingding Jia, Haiyang Xue, and Xiaochao Sun. Identity-based lossy encryption from learning with errors. In Advances in Information and Computer Security, pages 3–20. Springer, 2015. 5 [HLOV11] Brett Hemenway, Benoît Libert, Rafail Ostrovsky, and Damien Vergnaud. Lossy encryption: Constructions from general assumptions and efficient selective opening chosen ciphertext security. In Advances in Cryptology–ASIACRYPT 2011, pages 70–88. Springer, 2011. 5 [HLQ13]

Zhengan Huang, Shengli Liu, and Baodong Qin. Sender-equivocable encryption schemes secure against chosen-ciphertext attacks revisited. In Public-Key Cryptography–PKC 2013, pages 369–385. Springer, 2013. 5

[Hof12]

Dennis Hofheinz. All-but-many lossy trapdoor functions. In Advances in Cryptology–EUROCRYPT 2012, pages 209–227. Springer, 2012. 5

[JR13]

Charanjit S Jutla and Arnab Roy. Shorter quasi-adaptive nizk proofs for linear subspaces. In Advances in Cryptology-ASIACRYPT 2013, pages 1–20. Springer, 2013. 5

[LDL+ 14] Junzuo Lai, Robert H Deng, Shengli Liu, Jian Weng, and Yunlei Zhao. Identity-based encryption secure against selective opening chosen-ciphertext attack. In Advances in Cryptology–EUROCRYPT 2014, pages 77–92. Springer, 2014. 5, 12 [Lew12]

Allison Lewko. Tools for simulating features of composite order bilinear groups in the prime order setting. In Advances in Cryptology–EUROCRYPT 2012, pages 318–335. Springer, 2012. 5

[LOS+ 10] Allison Lewko, Tatsuaki Okamoto, Amit Sahai, Katsuyuki Takashima, and Brent Waters. Fully secure functional encryption: Attribute-based encryption and (hierarchical) inner product encryption. In Advances in Cryptology–EUROCRYPT 2010, pages 62–91. Springer, 2010. 5 [LP15]

Shengli Liu and Kenneth G Paterson. Simulation-based selective opening cca security for pke from key encapsulation mechanisms. In Public-Key Cryptography–PKC 2015, pages 3–26. Springer, 2015. 5

[LW10]

Allison Lewko and Brent Waters. New techniques for dual system encryption and fully secure hibe with short ciphertexts. In Theory of Cryptography, pages 455–479. Springer, 2010. 2, 3, 5, 11

[LW11]

Allison Lewko and Brent Waters. Unbounded hibe and attribute-based encryption. In Advances in Cryptology–EUROCRYPT 2011, pages 547–567. Springer, 2011. 5

[LW12]

Allison Lewko and Brent Waters. New proof methods for attribute-based encryption: Achieving full security through selective techniques. In Advances in Cryptology–CRYPTO 2012, pages 180–198. Springer, 2012. 5

[NR04]

Moni Naor and Omer Reingold. Number-theoretic constructions of efficient pseudo-random functions. J. ACM, 51(2):231–262, 2004. 5

[OT10]

Tatsuaki Okamoto and Katsuyuki Takashima. Fully secure functional encryption with general relations from the decisional linear assumption. In Advances in Cryptology–CRYPTO 2010, pages 191–208. Springer, 2010. 5

[OT12a]

Tatsuaki Okamoto and Katsuyuki Takashima. Adaptively attribute-hiding (hierarchical) inner product encryption. In Advances in Cryptology–EUROCRYPT 2012, pages 591–608. Springer, 2012. 5

[OT12b]

Tatsuaki Okamoto and Katsuyuki Takashima. Fully secure unbounded inner-product and attributebased encryption. In Advances in Cryptology–ASIACRYPT 2012, pages 349–366. Springer, 2012. 5

[RCS12]

Somindu C Ramanna, Sanjit Chatterjee, and Palash Sarkar. Variants of waters’ dual system primitives using asymmetric pairings. In Public Key Cryptography–PKC 2012, pages 298–315. Springer, 2012. 5

[Sha85]

Adi Shamir. Identity-based cryptosystems and signature schemes. In Advances in cryptology, pages 47–53. Springer, 1985. 5

24

[Wat05]

Brent Waters. Efficient identity-based encryption without random oracles. Cryptology–EUROCRYPT 2005, pages 114–127. Springer, 2005. 3, 4, 5

[Wat09]

Brent Waters. Dual system encryption: Realizing fully secure ibe and hibe under simple assumptions. In Advances in Cryptology-CRYPTO 2009, pages 619–636. Springer, 2009. 2, 5

[Wee14]

Hoeteck Wee. Dual system encryption via predicate encodings. In Theory of Cryptography, pages 616–637. Springer, 2014. 5

25

In Advances in