Almost-tight Identity Based Encryption against Selective Opening Attack

Almost-tight Identity Based Encryption

against Selective Opening Attack

Junqing Gong

Xiaolei Dong

_{Zhenfu Cao}

_{Jie Chen}

October 10, 2015

Abstract

The paper presented an identity based encryption (IBE) under selective opening attack (SOA) whose security is almost-tightly related to a set of computational assumptions. Our result is a combination of Bellare, Waters, and Yilek’s method[TCC, 2011]for constructing (not tightly) SOA secure IBE and Hofheinz, Koch, and Striecks’ technique[PKC, 2015]on building almost-tightly secure IBE in the multi-ciphertext setting. In particular, we first tuned Bellareet al.’s generic construction for SOA secure IBE to show that a one-bit IBE achieving ciphertext indistinguishability under chosen plaintext attack in themulti-ciphertextsetting (with one-sided publicly openability)tightlyimplies a multi-bit IBE secure under selective opening attack. Next, we almost-tightly reduced such a one-bit IBE to static assumptions in the composite-order bilinear groups employing the technique of Hofheinzet al.This yielded thefirstSOA secure IBE with almost-tight reduction.

Contents

1 Introduction 2

1.1 Background and Problem . . . 2

1.2 Our Technique . . . 2

1.3 Related Work. . . 5

1.4 Roadmap . . . 5

2 Preliminaries 5 2.1 Notations . . . 5

2.2 Code-Based Games . . . 6

2.3 Identity Based Encryptions . . . 6

2.4 Security against Selective Opening Attacks . . . 7

2.5 Indistinguishability with One-sided Publicly Openability . . . 7

3 Tightly Reducing SOA Security to IND-CPA with_δ-1SPO 8 3.1 Construction . . . 8

3.2 Security Analysis . . . 9

4 Tightly Reducing IND-CPA IBE withδ-1SPO to Static Assumptions 11 4.1 Composite-order Bilinear Groups . . . 11

4.2 Construction . . . 13

4.3 Security Analysis . . . 13

5 Conclusion 22

∗_{Department of Computer Science and Engineering, Shanghai Jiao Tong University. Email:[email protected]} †_{Shanghai Key Lab for Trustworthy Computing, East China Normal University. Email:[email protected]} ‡_{Shanghai Key Lab for Trustworthy Computing, East China Normal University. Email:[email protected]}

1

Introduction

1.1

Background and Problem

Boneh and Franklin[BF01]formalized the notion of ciphertext indistinguishability under chosen ciphertext attack (IND-CCA) for identity based encryptions (IBE) and proposed the first practical solution in the random oracle model. Since then IND-CCA security and its weakened version, ciphertext indistinguishability under chosen plaintext attack (IND-CPA), have been accepted as standard security definitions for IBE. However stronger security guarantee is required in some application scenarios. In 2011, Bellare, Waters, and Yilek proposed the selective opening security (SOA) for IBE, which may act as the basis for discussing adaptively secure multi-party computation protocol[BWY11].

Different from IND-CPA, the SOA security formalized in[BWY11]considers a communication system with multiple senders and multiple receivers. Besides eavesdropping all ciphertexts from communication channel, the adversary can also corrupt a subset of senders, extracting their plaintexts as well as random coins they used when generating corresponding ciphertexts. The SOA security ensures that ciphertexts sent by uncorrupted senders should not reveal any useful information on their corresponding plaintexts.

To construct an IBE achieving SOA security described above, Bellare et al.[BWY11] introduced a new primitive, IND-CPA one-bit IBE with one-sided publicly openability (1SPO), which is analogous to a weaker form of deniable public key encryption (PKE)[CDNO97]. Informally, the 1SPO property here requires that one canpubliclyrecover the random coins used to encrypt message 1. They showed that a one-bit IBE with such a security guarantee can be generically transformed to a multi-bit IBE with SOA security in a quite straight way and provided two concrete constructions for such type of IBE based on Boyen and Waters’s anonymous IBE[BW06]and De Caro, Iovino and Persiano’s anonymous IBE[DCIP10], which is further based on Lewko and Waters’ IBE[LW10]employing the recently developed dual system technique[Wat09]. This results in two SOA secure IBE schemes based on decisional linear assumption and general subgroup decision assumption, respectively.

However both resulting constructions are not tight, the security loss is O(k`) where k is the number of senders and `is the length of each message in binary form. Namely the advantage of breaking the SOA security of these scheme is bounded by the advantage of solving some computational assumption times a factor

O(k`). This means that, in order to reach certain bit security, we have to use larger security parameters to compensate the security loss, which often leads to large group size and inefficient group operation. Therefore a tightly secure construction is desirable from both theoretical and practical points of view.

Our paper is devoted to develop an IBE scheme reaching SOA security in a tighter fashion. In particular, we give a SOA secure IBE almost-tightly reduced to several static assumptions using composite order bilinear groups. The “almost-tight” means the security loss is proportional to the security parameterλand independent ofkand`. In general, we considerλas a number far smaller thank`.

1.2

Our Technique

Our work is motivated by the work of Hofheinz, Koch, and Striecks on almost-tight IBE in the multi-instance, multi-ciphertext setting[HKS15]. Roughly speaking, the so-called “ciphertext indistinguishability in the multi-instance, multi-ciphertext setting” ensures the confidentiality of multiple ciphertexts simultaneously. In the paper, we only consider a special case, i.e., the “single-instance, multi-ciphertext” setting (IND-mCPA). On the other hand, in the terms of Hofheinzet al., the one-bit IBE used in Bellareet al.’s generic construction of SOA secure IBE is IND-CPA in the single instance, single ciphertext setting. Therefore a straight observation shows that, if we replace the one-bit IBE here with an IND-mCPA one-bit IBE also with 1SPO, this generic construction would become constantly tight. This result is quite obvious and is easy to demonstrate, we briefly present it in Section3to make the paper self-contained.

Having a tight generic transformation from IND-mCPA one-bit IBE to SOA secure multi-bit IBE, the re-maining work is to build such a one-bit IBE whose security is almost-tightly related to some computational assumptions. Our solution is a combination of Bellare, Waters, and Yilek’s second construction[BWY11]and Hofheinz, Koch, and Striecks’ technique_[HKS15_]. Before explaining our solution, we first review these two basic work.

used in the real system. We will say they are in thenormal space. The semi-functional keys and ciphertexts will only be used in security proof and are always defined as normal keys and ciphertexts mixed with some additional components. We will call these components semi-functional componentsand say they are in the semi-functional space. Relying on certain algebraic feature, we can ensure the independence of normal space and semi-functional space in some sense, which allows us to make some changes (say, increasing entropy and breaking some algebraic structure) in the semi-functional space but avoid negative impact on the normal space, i.e., the real system.

Bellare, Waters, and Yilek’s Method. Bellareet al.’s idea[BWY11]is originated from the work on deniable encryption[CDNO97]. From a high level, they built a one-bit IBE with both IND-CPA andone-sided invertible sampleability(1SIS). An encryption of message 0 has some specific algebraic structure which is detectable for secret keys (of course, related to the same identity) but is pseudo-random from view of outsiders (adversaries); an encryption of message 1 is truly random and invertible samplable using just master public key.

Assume a composite order bilinear groups₍G,GT,e,N =p1p2p3p4), we letGN0 be the subgroup of order

N0|N. We note that one can decomposeGasGp1×Gp2×Gp3×Gp4 and pairing operation on two elements

from two subgroups of co-prime orders equals 1_GT. Their second construction works as follows. An encryption of 0 for identityID∈_ZN is in the form of

€ UID

14X14 Šs

gt4

4, W

s 14g

t0

4

4

whereU₁₄,X₁₄,W_14∈Gp

1p4,g4∈Gp4 are parts of the master public key ands,t4,t

0

4∈ZN are random coins for encryption. Since both encryption and master public key are independent in subgroupGp4, the algebraic

structure is hidden for the outsider, which can be proved following[DCIP10,LW10]. However the structure can be detected using the secret key in the form of

g₁rgr3

3, €

UID

1X1 Šr

gr30

3

because they letU₁,X₁,g₁∈Gp1share the sameGp1-component withU14,X14,W14, respectively, and subgroup

Gp1,Gp3andGp4 are pairwise orthogonal under pairing operations. Here the subgroupGp1 acts as the normal

space while the subgroup Gp2 is the semi-functional space. The remaining two subgroups Gp3 andGp4 are

used to additionally randomize keys and ciphertexts, respectively.

Hofheinz, Koch, and Striecks’s Construction and Proof Technique. Their construction inherited the main algebraic structure of Chen and Wee’s almost-tightly secure IBE in the single-ciphertext setting[CW13]which employed a variant form of Waters Hash [Wat05]. It also works on a bilinear group of composite order N = p₁p₂p₃p₄ as above but supports the identity space defined as the set of all n-bit binary string. An encryption of messageMfor identityID∈ {0, 1}nis in the form of

g₁s, g P

w[2i−ID[i]]·s

1 , e(g1,h)αs·M

where g₁∈Gp1,g

w 1 ∈G2

n

p1 ande(g1,h)

α_∈

GT are parts of the master public key, andsis the random coin for encryption, while secret keys are in the form of

hα·h P

w[2i−ID[i]]·r

123 ·R4, h123r ·R

0

4

whereα∈ZN,h∈G,h123∈Gp1p2p3,h

w

123∈Gp1p2p3are given in the master secret keys, andr∈ZN,R4,R

0

4∈Gp4

are random coins. Here subgroup Gp1 again acts as the normal space, the semi-functional space consists of

subgroupGp2andGp3. The last subgroupGp4 is now used to randomize keys.

We now briefly review the proof procedure. The proof begins with introducingGp2-component into

ci-phertexts and conceptually inserting an random functionR₀mapping identity space to subgroupGp2p3whose

output is truly random but independent of the input as follows.

CT: (g₁ g₂ )s, (g₁ g₂ ) P

w[2i−ID[i]]·s

, e((g₁ g₂ )s,hα_· R0(ID) )·M

SK: hα· R₀(ID) ·h P

w[2i−ID[i]]·r

123 ·R4, hr123·R04

ciphertexts. Technically, each step relies on the orthogonality of subgroupGp2andGp3to independently adopt

the proof technique introduced by Chen and Wee[CW13]in each of the two subgroups. Finally, we will reach the scenario with

CT: (g₁g₂)s, (g₁g₂)Pw[2i−ID[i]]·s_{, e((g}

1g2)s,hα· Rn(ID) )·M

SK: hα· R_n(ID) ·h P

w[2i−ID[i]]·r

123 ·R4, h123r ·R04

where now Rn’s output depends on all bits of identity ID. Combining the feature of random function and the entropy of s, the random coin for encryption, we can readily show the pseudo-randomness of term e((g₁g₂)s_,hα

·Rn(ID))in all ciphertexts simultaneously in a tight fashion.

Our Attempts and Solution. At first glance, we can apply Bellareet al.’s idea directly to Hofheinz, Koch, and Striecks’ construction. We may remove the master secret keyhαand drop payload maske(g₁,h)α, put the structure into a bilinear group of orderN=p₁p₂p₃p₄p₅and use the extra subgroupGp5to hide the structure of

ciphertexts as_[DCIP10,BWY11_]. The result is as follows. An encryption of message 0 for identityID∈ {0, 1}n looks like

g₁sgt5

5, g

P

w[2i−ID[i]]·s

1 g

t0₅ 5

where gt5

5,g t0

5

5 ∈Gp5 function asg

t4

4 andg t0₄

4, whileg1∈Gp1 andg

w 1 ∈G2

n

p1 should be multiplied by a random

element ofGp5 before they are published withg5as the master public key. On the other hand, secret keys for

IDshould look like

h P

w[2i−ID[i]]·r

123 ·R4, hr123·R04

It is easy to verify the correctness of this construction. However the proof technique for proving IND-mCPA is not applicable now. We remark that it is the master secretαthat allows us to introduce the random function into the system after introducingGp2-components into all ciphertexts.

A natural idea to overcome this problem may be to takehαback in secret keys and put an additional term e(g₁,h)αsin ciphertexts. However we still don’t know how to prove the resulting scheme to be IND-mCPA yet even though Hofheinzet al.’s proof technique now works. To see that we remind the reader of the fact that our technical goal is to show all components in ciphertexts of message 0 are pseudo-random. The proof technique here finally allows us to argue the pseudo-randomness of e(g₁,h)αs_{, but not g}Pw[2i−ID[i]]·s

1 g

t0

5

5, since no addi-tional entropy has been introduced in it during the proof. It is worth noting that Attrapadunget al.[AHY15]

showed how to tightly obtain anonymity from a similar structure (using prime-order bilinear groups), i.e., the IND-mCPA in our setting. However they required the key generation procedure to be somewhat deterministic. Namely they use the same random coins for generating secret keys for the same identity. In our paper, we continue to work with the classical definition where each secret key is created from fresh random coins.

Our solution is to turn to the original version of Waters Hash[Wat05]where the encoding of identityIDis not linear but affine. In particular, we define an encryption for message 0 as

g₁sgt5

5, g( u+P

w[2i−ID[i]])·s

1 g

t0

5

5

where the newly introducedgu

1∈Gp1is also published as a part of master public key after hidden by a random

element ofGp5; secret keys are defined as

h(u+ P

w[2i−ID[i]])·r

123 ·R4, hr123·R04

whereuis also introduced to maintain correctness. At this time, we can insert a random function relying on the entropy ofu∈ZNand continue the proof procedure, which circumvents the issues in our first attempt. In particular, the first step of the proof now results in the following ciphertexts and secret keys

CT: (g₁ g₂ )sg₅t5, (g₁ g₂ )(u+ P

w[2i−ID[i]])·s_gt50

5 · g R0(ID)·s

2

SK: hR0(ID)·r 23 ·h(

u+P

w[2i−ID[i]])·r

123 ·R4, hr123·R04

where we define the random function mapping from identity space to ZN instead of Gp2p3. We note that,

connected through bilinear map e. Finally, we will reach the following configuration using Hofheinzet al.’s technique with tiny technical tuning due to our different definition of random functionR0andRn.

CT: (g₁g₂)sgt5

5, (g1g2)(u+ P

w[2i−ID[i]])·s_gt05

5 · g Rn(ID)·s 2

SK: hRn₂₃(ID)·r ·h(u+ P

w[2i−ID[i]])·r

123 ·R4, hr123·R04

At this moment, we see that the pseudo-random terms g₂Rn(ID)·sandh₂₃Rn(ID)·r are bound withg(u+ P

w[2i−ID[i]])·s 1

andh(u+ P

w[2i−ID[i]])·r

123 respectively, which facilitates the proof of pseudo-randomness of the entire ciphertexts and circumvents the problem in our second attempt. We show the formal description of this construction and its security analysis in Section4.

1.3

Related Work

Identity Based Encryption. The notion of identity based encryption was introduced by Shamir[Sha85]to alleviate the cost of key management in traditional PKI framework. The first practical solution with for-mal security analysis for this promising primitive was found by Boneh and Franklin [BF01] in 2001 using bilinear groups. A bunch of constructions are proposed in the next several years, including classical Boneh-Boyen[BB04b,BB04a], Waters[Wat05], and Gentry[Gen06]construction.

A recent breakthrough in this field is the introduction of dual system technique by Waters[Wat09], which is now widely used for building various types of adaptively secure functional encryptions [LW10,LOS+10,

OT10,LW11,CLL+13,Lew12,LW12,OT12b,OT12a,RCS12,JR13]. There also appears general frameworks

investigating the dual system technique, especially its application in functional encryption [Att14, BKP14,

Wee14,CGW15_].

In 2013, Chen and Wee [CW13]eastablished the first IBE scheme with almost-tight reduction to static assumptions in the standard model, combining the dual system technique with Naor-Reingold technique for pseudo-random functions[NR04]. The method was extended to the “multi-instance, multi-ciphertext” setting by Hofheinz, Koch, and Striecks[HKS15]. Two very recent work[AHY15,GCD+15]gave the prime-order real-ization of Hofheinzet al.’s composite-order construction. Besides that the work by Attrapadunget al.[AHY15]

also proposed a framework for building almost-tight IBE from broadcast encodings_[Att14_], which leads to a lot of new constructions with diverse features.

Selective Opening Security. The study of selective opening security started from the field of public key en-cryption. Since the work of Bellare, Hofheinz, and Yilek[BHY09], the community obtained several

solution-s[FHKW10,HLOV11,Hof12,HLQ13,HJKS15,LP15]covering various settings such as chosen plaintext attack

(SO-CPA) and chosen ciphertext attack (SO-CCA). In 2011, Bellare, Hofheinz, and Yilek brought SOA security into the field of IBE[BWY11] by considering SO-CPA security. The blank of SO-CCA security was recently filled by Laiet al.[LDL+14]relying on several newly introduced primitives. Our paper only considers SO-CPA following_[BWY11_]. Very recently, Heet al.[HLL+15_]gave an IBE scheme achieving indistinguishability-based SOA security under chosen-plaintext attack in the selective identity model, which is weaker than the security model used in[BWY11,LDL+14]and ours as well.

1.4

Roadmap

The remainder of our paper is organized in three parts. We first define some notations and review several concepts and security models in Section2. Section3shows a generic construction from IND-mCPA one-bit IBE to SOA-secure multi-bit IBE with tight reduction. Such a one-bit IBE is presented in Section4followed by a series of static assumptions in composite-order bilinear groups. Finally, we conclude the paper in Section5.

2

Preliminaries

2.1

Notations

We employ x := f(y)to denote the process of assigning to x the result of f(y)for some formula f(·)

let w[i] denote the ith entry of w. Similarly, for any binary string ID ∈ {0, 1}∗, we use ID[i] to indicate the ith bit ofID. The notation y _←Alg(x₁, . . . ,x_n;r₁, . . . ,r_m)or Alg(x₁, . . . ,x_n;r₁, . . . ,r_m)_→ y refer to the process of running algorithmAlgwith inputsx₁, . . . ,x_nand random coinsr₁, . . . ,r_m, then assigning the result to variable y. The random coins may be omitted for brevity. We may also use a more compact form y ←

Alg₍x;r₎wherex:₌ x₁, . . . ,xn

andr:₌ r₁, . . . ,rm

. For any fixed inputx, the set_[Alg₍x_)]is defined as

y:∃rs.t.Alg(x;r) =y .

Given a finite cyclic group G, we use X ← G to denote the process of sampling a random element in G. In particular, the notation is for the so-called “lazy sampling”. Assuming g ∈G is a generator of group G of order N, we sample X from Gby randomly sampling x from ZN and setX := gx. As [BWY11], we consider sampling random element from ZN (for anyN ∈Z>0) as the unique random source in our system, and denote this atomic process by x←ZN. For any element g∈Gand list or vectorw= (w1, . . . ,wn)∈ZnN, we define gw := (gw1_{, . . . ,g}wn)_∈

Gn. Given g= (g1, . . . ,gn)andh= (h1, . . . ,hn), two vectors overG, we defineg·h:= (g_1·h₁, . . . ,g_n·h_n)_∈Gn_.

2.2

Code-Based Games

As[BWY11], we employ code based games[BR06]for our security definitions and proofs. A code based

game is defined by anInitializeprocedure and aFinalizeprocedure plus a series of procedures, which will be used to answer adversaryA’s queries and depends on the security notion we concern. The game begins with runningInitializeprocedure and transmitting the result to adversaryA. During the game,A is allowed to make various types of queries in any order. In general,A is capable of making polynomial-many queries. Finally,A is expected to return an output before it halts. The output of the game is then obtained by invoking Finalize procedure on A’s output. As usual, we let Game_A(λ) = y denote the event that the output of executingGamewith adversaryA on security parameter 1λis y.

2.3

Identity Based Encryptions

Algorithms. An identity-based encryption scheme with identity spaceIdSpand message spaceMsgSp con-sists of four (probabilistic) polynomial time algorithms defined as follows:

– Setup(1λ)→(MPK,MSK). The setup algorithm takes as input a security parameter 1λ, and outputs a master public keyMPKand the corresponding master secret keyMSK.

– KeyGen(MPK,MSK,ID) →SK. The key generation algorithm takes as input a master public key MPK, a master secret keyMSKand an identityID∈IdSp, and outputs a secret keySK.

– Enc(MPK,ID,M)→ CT. The encryption algorithm takes as input a master public key MPK, an identity ID∈IdSpand a messageM∈MsgSp, outputs a ciphertextCT.

– Dec₍MPK,SK,CT)→M. The decryption algorithm takes as input a master public keyMPK, a secret keySK and a ciphertextCT, outputs a messageMor a failure symbol⊥.

Correctness. The correctness (with negligible failure probability) requires that, for all security parameterλ, for all(MPK,MSK)∈[Setup(1λ)], allID∈IdSp, and allM∈MsgSp, it holds that

Pr[Dec(MPK,KeyGen(MPK,MSK,ID),Enc(MPK,ID,M)) =M]_¾1−ε,

whereεis negligible inλand the probability space is defined by random coins consumed by algorithmKeyGen andEnc.

More Notations. We now define two sets for an IBE scheme. We let Coins(MPK,M) be the set of random coins used to encrypt messageMfor all(MPK,MSK)∈[Setup(1λ)]. We also useCoins(MPK,ID,CT,M)to denote

2.4

Security against Selective Opening Attacks

Bellareet al.[BWY11]formally defined selective opening security in the setting of IBE based on the work

of[BHY09]. This subsection review their definition through two games:SOAREALandSOASIM, defined in

Figure1and Figure2, respectively. In the figures,M is called(k,`)-message sampler which takesα∈ {0, 1}∗

as input and returnsmsuch that|m|=kandm[i]∈ {0, 1}`for alli∈[k], andRis any randomized algorithm with binary output. In both games, an adversary must make oneNewMesgquery before oneCorruptquery. Besides, game SOAREALadditionally allows the adversary to adaptively make polynomially-many Extract queries.

Initialize

(MPK,MSK)←Setup(1λ) returnMPK

NewMesg(id,α)

if id∩ExID6=;then return⊥

ChID:=ChID∪id m← M(α)

fori∈[k]do

r_[i]←Coins₍MPK,m_[i])

ct[i]←Enc(MPK,id[i],m[i];r[i]) return ct

Extract(ID)

ifID∈ChIDthen return⊥ ExID:=ExID∪ {ID}

returnKeyGen(MPK,MSK,ID)

Corrupt(I) return r[I],m[I]

Finalize₍OUT)

returnR(m,ChID,I,OUT)

Figure 1: SOAREALGame

Initialize return⊥

NewMesg₍id,_α) ChID:=ChID∪id m← M(α)

return⊥

Corrupt(I) return m[I]

Finalize(OUT)

returnR(m,ChID,I,OUT)

Figure 2:SOASIMGame

The SOA-advantage function of SOA-adversaryA against an SOA-simulatorS with respect toM andR

is defined as follows.

AdvSOA_A,S,M,R(λ):= Pr

”

SOAREAL_{A,M,R(λ) =}1—−Pr”SOASIM_{S,M,R(λ) =}1— .

An IBE scheme is SOA secure if and only if, for any message samplerM, any binary relationR, any proba-bilistic polynomial time SOA-adversaryA, there exists an SOA-simulatorS such that the advantage function AdvSOA_A,S,M,R(λ)is negligible in_λ.

2.5

Indistinguishability with One-sided Publicly Openability

The ciphertext indistinguishability under chosen plaintext attack[BF01](IND-CPA) is one of well-known security definitions for IBE. In the model, given master public key, an adversary is able to obtain polynomially-many secret keys adaptively and a single challenge ciphertext for one of challenge messages, and is asked to guess a secret bit (which indicates which challenge message is used to generate challenge ciphertext). We consider IND-CPA in the multi-ciphertext setting (IND-mCPA) where the adversary now has access to polynomially-manychallenge ciphertexts, which is recently proposed and investigated in more general multi-instance, multi-ciphertext setting[HKS15].

More formally, we review the notion of IND-mCPA[HKS15]through gameINDmCPAshown in Figure3. The advantage function of adversaryA in gameINDmCPAis defined as

Initialize

(MPK,MSK)←Setup(1λ)

β← {0, 1}

returnMPK

Extract(ID)

ifID∈ChIDthen return⊥ ExID:=ExID∪ {ID}

returnKeyGen(MPK,MSK,ID)

Challenge(ID∗,M∗₀,M∗₁) ifID∗∈ExIDthen return⊥

ChID:=ChID∪ {ID∗} returnEnc(MPK,ID∗,M∗_β)

Finalize_(β0₎

return(β=β0)

Figure 3: INDmCPAGame

An IBE scheme is said to be IND-mCPA if and only if the advantage functionAdvINDmCPA_A (λ)is negligible inλ for any probabilistic polynomial time adversaryA.

However the IND-mCPA alone is not sufficient for realizing SOA security. We require an additional property, called One-Sided Publicly Openability (1SPO), proposed by Bellareet al.[BWY11] based on the concept of deniable PKE_[CDNO97_]. Roughly speaking, 1SPO for an IBE withMsgSp₌{0, 1}means that one can publicly open a ciphertext for message 1 by presenting its random coins. More formally, we review the following algorithm.

– OpenToOne(MPK,ID,CT)→r. The setup algorithm takes as input a master public keyMPK, an identity ID∈IdSpand a ciphertextCTof 1, outputs a random coinrsuch thatCT=Enc(MPK,ID, 1;r).

We allow algorithmOpenToOneto output failure symbol⊥with probabilityδand require that, for allMPK∈

[Setup(1λ)], allID∈IdSp, allCT∈[Enc(MPK,ID, 1)], and all_br∈Coins(MPK,ID,CT, 1),

Pr[r←OpenToOne(MPK,ID,CT):r=_br|r6=⊥] = 1

|Coins(MPK,ID,CT, 1)|

The algorithm is calledδ-1SP opener and an IBE with aδ-1SP opener is calledδ-one-sided publicly openable (δ-1SPO).

3

Tightly Reducing SOA Security to IND-CPA with

δ

-1SPO

Bellareet al.[BWY11]presented a trivial construction for`-bit IBEIBE`from one-bit IBEIBE, and proved thatIBE`achieves SOA security if the underlyingIBEis IND-CPA withδ-1SPO. Their reduction haspolynomial security loss. We review this trivial construction (with different identity space) and prove thatIBE`achieves SOA security if the underlying IBE is IND-mCPA with δ-1SPO. We emphasize that our reduction only has constant security loss.

3.1

Construction

Assume an one-bit IBEIBE_{= (}Setup,KeyGen,Enc,Dec)withIdSp_{= {}0, 1}n_andMsgSp=

{0, 1}. The

`-bit IBEIBE`₌€Setup`,KeyGen`,Enc`,Dec`ŠwithIdSp₌{0, 1}n

(identical toIBE) andMsgSp₌{0, 1}`is defined as in Figure4.

Setup`(1λ,n) returnSetup(1λ,n)

Dec`<sub>(</sub>MPK,SK,ct<sub>)</sub> fori∈[`]do

M[i]←Dec(MPK,SK,ct[i]) returnM

KeyGen`(MPK,MSK,ID) returnKeyGen(MPK,MSK,ID)

Enc`<sub>(</sub>MPK,ID,M) fori∈[`]do

ct[i]←Enc(MPK,ID,M[i]) return ct

Figure 4: FromIBEtoIBE`.

3.2

Security Analysis

We want to prove the following theorem.

Theorem 1 For any message sampler_M, any binary relation_R, any probabilistic polynomial time SOA-adversary

A making at most Q_K Extractqueries, there exists a probabilistic polynomial time SOA-simulator_S and adver-saryBsuch that

AdvSOA_A,S,M,R(λ)≤2·AdvINDmCPA_{B (λ) +}k`·δ.

The proof begins with constructing a SOA-simulatorS in SOASIMgame, which takes any probabilistic polynomial time SOA-adversary A as oracle. Our proof continues employing Bellare et al.’s construction and we recall it in Figure5. The SOA-simulatorS prepares a fresh master public/secret key pair(MPK,MSK) and initializes a SOA-adversaryA usingMPK. To obtainA’s output,S answers all queries made by it, i.e., simulatingSOAREALgame forA. TheExtractqueries are directly answered usingMSK. For theNewMesg query, SOA-simulator S returns k encryptions of message 0`. In the figure, we use NewMesg_S to denote theNewMesgoracle forS inSOASIMgame, which returns nothing toS. For theCorruptquery,S opens corrupted messages correctly relying on the power ofOpenToOne algorithm. In particular, if the corrupted message bit is 0, the random coin used when answeringNewMesgquery could be returned directly; if the bit is 1 instead, the random coin must be resampled so as to explain the corresponding ciphertextS has given to

A, which is originally an encryption of 0, to be an encryption of 1.

main()

(MPK,MSK)←Setup`(1λ) returnA(MPK)

NewMesg(id,α) NewMesg_S(id,α) fori_∈[k]do

r[i]←Coins(MPK, 0`)

ct[i]←Enc`(MPK,ID[i], 0`;r[i]) return ct

Corrupt(I)

m[I]←Corrupt_S(I) fori∈I and j∈[`]do

if m_[i][j] =1then

r[i][j]←OpenToOne(MPK,id[i],ct[i][j]) return r[I],m[I]

Extract(ID)

returnKeyGen`(MPK,MSK,ID)

Figure 5: SOA-simulatorS.

One may see that the simulation ofS is different from the specification ofSOAREAL. Therefore the next step of the proof is to show that the simulation described in Figure5and the realSOAREALare computa-tionally indistinguishable from the viewpoint of A. In detail, we employ hybrid argument using the game sequence shown in Figure6.

We have the following lemmas immediately.

Lemma 1 For any message samplerM, any binary relationR, any adversaryA,

Pr[Game_0,A,M,R(λ) =1]−Pr[Game_1,A,M,R(λ) =1]

≤k`·δ.

Lemma 2 For any message sampler_M, any binary relation_R, any adversary_A,

Pr[Game2,A,M,R(λ) =1] =Pr[Game3,A,M,R(λ) =1].

Lemma 3 For any message samplerM, any binary relationR, any adversaryA,

Pr[Game_3,A(λ) =1] =Pr[SOASIM_S,M,R(λ) =1].

The first lemma follows from the fact that the algorithmOpenToOneis not perfect, its failure probability isδ, and there are at mostk`applications ofOpenToOne. For the second lemma, since we can answerNewMesg queries without knowing anything aboutm, it is safe to defer the sampling ofm. The last lemma follows the observation that the SOA-simulator described in Figure 5is able to simulateGame₃andS’s output always equalsA’s.

Game0, Game1 , Game2

Game3

Initialize

(MPK,MSK)←Setup(1λ) returnMPK

Extract(ID)

ifID∈ChIDthen return⊥ ExID:=ExID∪ {ID}

returnKeyGen₍MPK,MSK,ID)

Finalize(OUT)

returnR(m,ChID,I,OUT)

NewMesg(id,α)

if id∩ExID6=;then return⊥

ChID:₌ChID∪id m← M(α)

m← ⊥

fori∈[k]and j∈[`]do r_[i][j]←Coins₍MPK,m_[i][j])

r[i][j]←Coins(MPK, 0)

ct[i][j]←Enc(MPK,id[i],m[i][j];r[i][j]) ct_[i][j]←Enc₍MPK,id_[i], 0;r_[i][j]) return ct

Corrupt(I)

m← M(α)

fori∈Iand j∈[`]do

if m[i][j] =1then

r_[i][j]←OpenToOne₍MPK,id_[i],CT[i][j]) return r_[I],m_[I]

Figure 6: Game Sequence for SOA security

Lemma 4 (Game₁≈Game₂) For any message samplerM, any binary relationR, any probabilistic polynomial time adversary_A making at most Q_K key extraction queries, there exists an adversary_Bsuch that

Pr

”

Game1,A,M,R(λ) =1

—

−Pr”Game2,A,M,R(λ) =1

—

≤2·Adv

INDmCPA

B (λ).

andTime(B)≈Time(A) + (k`+QK)·poly(λ)wherepolyis independent ofA.

Proof.GivenMPKand oracle access toExtract_BandChallenge, algorithmBproceeds as follows: Initialize ReturnMPK.

Extract(ID) ReturnExtract_B(ID).

NewMesg₍id,_α) Return⊥whenid∩ExID6=;. UpdateChID:₌ChID∪id. Samplem← M(α). Fori∈[k] andj∈[`], ifm[i][j] =1, set

ct[i][j]_←Challenge(id[i], 0, 1),

otherwise, sample

r[i][j]←Coins(MPK, 0) and ct[i][j]←Enc(MPK,id[i], 0;r[i][j]).

Returnct.

Corrupt(I) Fori∈I andj∈[`], ifm[i][j] =1, set

r[i][j]_←OpenToOne(MPK,id[i],ct[i][j]).

Return(r[I],m[I]).

WhenA halts with outputOUT, algorithmB outputsR(m,ChID,I,OUT).

Observe that ifβ =0, the outputs ofChallenge are encryptions of 0 and the simulation is identical to Game₂. On the other hand, ifβ=1, the outputs ofChallengeare encryptions of 1 and the simulation is iden-tical to Game₁. Therefore we can conclude that

Pr

”

Game_1,A,M,R(λ) =1—−Pr”Game_2,A,M,R(λ) =1— ≤

4

Tightly Reducing IND-CPA IBE with

δ

-1SPO to Static Assumptions

4.1

Composite-order Bilinear Groups

We assume a group generatorGrpGenfor composite-order bilinear groups, which takes as input a security parameter 1λ, outputs N,G,GT,e,p1, . . . ,p5

whereN=p₁· · ·p₅and allpiare prime numbers in[2λ−1, 2λ− 1], bothGandGT are cyclic groups of order N, ande:G×G→GT is an admissible bilinear map. We let GandGT also contain their generators, denoted byg∈GandgT∈GT, respectively. We define public group description G = N,G,GT,eand take factoring ofN, i.e., p1, . . . ,p5, as secret information. It is the secret information that allow us to derive the generator of each subgroup from the generator of the entire group, i.e.,

g∈G, and sample random element from it.

For positive integerN0withN0|N, we useGN0 to indicate the unique subgroup of orderN0. Giveng∈_Gn

andh_∈Gm such that gcd(n,m) =1, we havee(g,h) =1_GT. In fact, we can decomposeGasGp1× · · · ×Gp5

and write gx forx ∈ZN asQ5i=1g xi

i whereGpi is generated by gi∈Gpi andxi ∈ZN is unique modulopi. Under the representation, we callQ_i∈Igxi

i for someI⊆[5]theGN0-part ofg

x_whereN0₌Q i∈Ipi.

We need the following six computational assumptions to reach IND-mCPA security. Assumption1, 2,5,

6 are concrete instantiations ofGeneral Subgroup Decision Assumptionformalized by Bellareet al.[BWY11]

which is inspired by several concrete assumptions used in_[BGN05,DCIP10,LW10_]. Assumption3and4are modified from Hofheinzet al.’sDual System Assumption 3[HKS15]and Chen and Wee’s second assumption in

[CW13], respectively. In fact the Dual System Assumption 3[HKS15]was also derived from Chen and Wee’s second assumption. All of them could be viewed as Diffie-Hellman Assumption on subgroups of composite-orderG.

Assumption 1 For any probabilistic polynomial time adversaryA, the advantage function defined as follows are negligible inλ.

AdvSD1_A (λ):=PrA(D,T₀) =1−PrA(D,T₁) =1 where

N,G,GT,e,p1, . . . ,p5

←GrpGen(1λ);G= N,G,GT,e; g_1←Gp

1; g4←Gp4; g5←Gp5;X1X2X3←Gp1p2p3;

D← G,g₁,g₄,g₅,X₁X₂X₃ ;

T₀←Gp₁; T1←Gp1p2.

Assumption 2 For any probabilistic polynomial time adversaryA, the advantage function defined as follows are negligible inλ.

AdvSD2_A (λ):=PrA(D,T₀) =1−PrA(D,T₁) =1 where

N,G,GT,e,p1, . . . ,p5

←GrpGen(1λ); G= N,G,GT,e; g_1←Gp

1; g4←Gp4; g5←Gp5; X2X5←Gp2p5; Y2Y3←Gp2p3;

D← G,g₁,g₄,g₅,X₂X₅,Y₂Y₃ ;

T₀←Gp2p5; T1←Gp3p5.

Assumption 3 For any probabilistic polynomial time adversaryA, the advantage function defined as follows are negligible inλ.

AdvDDH1_A (λ):=PrA(D,T₀) =1−PrA(D,T₁) =1 where

N,G,GT,e,p1, . . . ,p5

←GrpGen(1λ);G= N,G,GT,e; g_1←Gp

1; g2←Gp2; g3←Gp3; g4←Gp4; g5←Gp5;

e

X₄,Ye4,X4,Y4←Gp4; x,y,z←Z

∗

N;

D=€G,g₁,g₂,g₃,g₄,g₅,g₂xXe4,g y

2Ye4,g3xX4,g y 3Y4

Š ;

Assumption 4 For any probabilistic polynomial time adversaryA, the advantage function defined as follows are negligible inλ.

AdvDDH2_A (λ):=Pr

A(D,T₀) =1

−Pr

A(D,T₁) =1

where

N,G,GT,e,p1, . . . ,p5

←GrpGen(1λ);G= N,G,GT,e; g₁←Gp₁; g2←Gp2; g3←Gp3; g4←Gp4; g5←Gp5;

e

X₅,Ye₅←Gp₅; x,y,z←Z∗_N; D=€_G,g₁,g₂,g₃,g₄,g₅,g₂xXe5,g

y 2Ye5

Š ;

T₀←g₂x y; T₁←g₂x y+z.

Assumption 5 For any probabilistic polynomial time adversary_A, the advantage function defined as follows are negligible inλ.

AdvSD3_{A (λ)}:=PrA(D,T₀) =1−PrA(D,T₁) =1 where

N,G,GT,e,p1, . . . ,p5

←GrpGen(1λ);G= N,G,GT,e; g₂←Gp2; g3←Gp3; g4←Gp4; g5←Gp5;

X₁X₅←Gp1p5; Y1Y2Y3←Gp1p2p3;

D= _G,g₂,g₃,g₄,g₅,X₁X₅,Y₁Y₂Y₃ ;

T₀←Gp2p5; T1←Gp1p2p5.

Assumption 6 For any probabilistic polynomial time adversaryA, the advantage function defined as follows are negligible inλ.

AdvSD4_A (λ):=Pr

A(D,T₀) =1

−Pr

A(D,T₁) =1

where

N,G,GT,e,p1, . . . ,p5

←GrpGen(1λ);G= N,G,GT,e; g₁←Gp1; g2←Gp2; g5←Gp5;X2X3X4←Gp2p3p4;

D_{← G},g₁,g₂,g₅,X₂X₃X₄ ;

T₀←Gp1p2p5; T1←G.

To realize the One-sided Publicly Openability, we need G to be equipped with publicly reversible sam-pling[BWY11,FHKW10,LDL+14]. Formally, there exist two algorithms defined as follows.

– Sample_G()→G. The publicly reversible sampler takes no input and outputs a random element from groupGwith probability 1−ζor outputs a failure symbol⊥with probabilityζ. In particular, for all G0∈G, we require that

Pr

G=G0|G6=⊥₌ 1/|G|,

where the probability space is defined by random coins consumed bySample_G.

– Sample−1

G (G)→r. The public re-sampler takes an elementG∈Gas input and outputs random coinsr with probability 1−θ such thatSample_G(;r) =Gor outputs a failure symbol⊥with probabilityθ. In particular, we require that, for allr0∈RGwhereRG:=

br:SampleG(;br) =G ,

Pr

r=r0|r6=⊥₌ 1/|RG|,

wherethe probability space is defined by random coins consumed bySample−1 G .

Bellare, Waters, and Yilek[BWY11]had realized these two algorithms for bilinear groupG withζ≈ 1/2ρ andθ ≈1/2ρ whereρ is an independent parameter, based on the technique for hashing into elliptic curve groups _[BLS01_]. We will invoke Sample_G and Sample−1

Setup(1λ,n)

G :_{= (}N,G,GT,e)←GrpGen(1λ) fori∈[5]dogi←Gpi

v_5←ZN;G:=g₁gv5

5;Gb:=g1g2g3 u,u₅←ZN;w,w5←Z2Nn

U:₌g₁ugu5

5;W:=g1wg w5

5 ;

b

U:= g₁g₂g₃u;Wb := g1g2g3 w

MPK:= G,G,U,W,g₅

MSK:=€Gb,Ub,Wb,g4 Š

returnMPK,MSK

Dec(MPK,SK,CT)

ife(C,K) =e(C0,K0)then return0 else return1

OpenToOne(MPK,ID,CT) r←Sample−_G1(C) r0_←Sample−1

G (C

0₎

return r,r0

IdSp₌{0, 1}n_{,MsgSp={0, 1}}

KeyGen₍MPK,MSK,ID) r,r₄,r₄0 ←ZN

K:=Gbrg r4

4 K0:=€Ub

Qn

i=1Wb[2i−ID[i]] Šr

gr

0

4

4 return K,K0

Enc(MPK,ID,M) ifM=0then

s,s₅,s0₅←ZN

C:=€UQn_i=1W[2i₋ID[i]] Šs

gs5

5 C0:=Gsgs

0

5

5 else

C,C0_←Sample_G() return C,C0

Figure 7: Our Main Construction: IBE with 1SPO

4.2

Construction

Assuming a group generatorGrpGendescribed in previous subsection, our main construction is shown in Figure7, an IBE scheme with identity spaceIdSp={0, 1}n_{and message spaceMsgSp=}

{0, 1}which is also equipped with algorithmOpenToOnefor achieving One-Sided Publicly Openability.

The correctness of our construction is obvious. Fix anID∈IdSp. For the case C,C0∈[Enc(MPK,ID, 0)], we have

e(C,K) = e

U n Y

i=1

W[2i−ID[i]] !s

gs5

5,Gbrg r4

4 !

= e

 g(u+

Pn

i=1w[2i−ID[i]])s

1 ,g

r 1 ‹

=e

 gs₁,g(u+

Pn

i=1w[2i−ID[i]])r

1

‹

= e Gsgs05

5, Ub n Y

i=1 b

W[2i₋ID[i]] !r

gr40

4 !

=e(C0,K0),

which means Pr_[Dec₍MPK,SK,Enc₍MPK,ID, 0_{)) =}0_{] =}1. For the case C,C0

∈[Enc₍MPK,ID, 1_)], we letC=gc andC0=gc0wherec,c0∈ZN, and we have, with the probability space defined by samplingr,r4,r40,c,c0←ZN,

Pr_[Dec₍MPK,SK,Enc₍MPK,ID, 1_{)) =}0_]

= Pr

e(C,K) =e(C0,K0)

= Pr



e€gc,Gbrg r4

4 Š

=e gc0, Ub

n Y

i=1 b

W[2i−ID[i]] !r gr 0 4 4 ! 

= Prhe€ g₁g₂g₃g₄c, g₁g₂g₃rgr4

4 Š

=e g₁g₂g₃g₄c0, g₁g₂g₃(u+Pw[2i−ID[i]])r

gr

0

4

4 i

¶ 64/24λ

Therefore we conclude that Pr[Dec(MPK,SK,Enc(MPK,ID, 1)) =1]¾1−64/24λ.

As[BWY11], algorithmOpenToOneindeed satisfies our requirement defined in Section2by the property

of algorithm Sample_G andSample−1

G shown in previous subsection. We remark that algorithmOpenToOne runsSample−1

G twice independently and thus has failure probabilityδ¶2θ.

4.3

Security Analysis

Theorem 2 (Main Theorem) For any probabilistic polynomial time adversary A making QK key extraction queries and Q_C challenge queries, there exist adversaries_B1,_B2,_B3,_B4,_B5and_B6such that

AdvINDmCPA_A (λ) ¶ Adv_BSD1₁ (λ) +2n·AdvSD2_B1(λ) + (n+1)·AdvDDH1_B3 (λ)

+AdvDDH2_B

4 (λ) +Adv

SD3

B5 (λ) +Adv

SD4

B6 (λ) +2ζ.

andmaxi∈[6]Time(Bi)≈Time(A) + (QC+QK)·poly(λ,n)wherepolyis independent ofA.

4.3.1 Organization of Proof

Before we proceed, we define two functions for brevity:

h(u,w,ID):=u+ n X

i=1

w[2i−ID[i]] and H(U,W,ID):=U·

n Y

i=1

W[2i−ID[i]] (1)

whereID∈ {0, 1}n,u∈_ZN,w∈_Z2_Nn,U∈_G, andW∈_G2n. When we setU=guandW=gwfor someg∈_G, we immediately have the following relation

H(U,W,ID) =gh(u,w,ID)

.

We also need a family of random functions

Ri(·) i∈{0}∪[n] defined as follows:

Ri(ID):ID|i→ZN, ∀i∈ {0} ∪[n],

whereID|_idenotes thei-bit prefix ofID. We note that the Chinese Reminder Theorem implies thatRi(ID)mod p₂andRi(ID)modp3are distributed independently, which correspond toRb_iandRe_i, respectively, in[HKS15]. Although the range of random functions isZN, the actual working range isRi(ID)modp2andRi(ID)modp3 corresponding to semi-functional spaceGp2andGp3, respectively.

The proof follows hybrid arguments using a series of games, which can be roughly divided into four phases. We describe these games in a phase-by-phase fashion in Figure8, Figure9, Figure10, Figure11, respectively. In particular, we state that

– In phase 1, we introduce semi-functional components (elements inGp2) into ciphertexts and introduce

random functionR0into the system.

– In phase 2, we increase the entropy of random function we have introduced following the method of Hofheinzet al.[HKS15]. In particular, by executing phase 2 for ntimes, we replace the initial random functionR0withRn, whose output depends on all bits ofID.

– In phase 3, we handle the multiple occurrences of a single identity in challenge ciphertexts as well as in secret keys. We finally argue that multiple ciphertexts for a single identity are computationally independent in semi-functional space and so do secret keys. The proof will also follows Hofheinzet al.’s idea for full security[HKS15].

– In phase 4, we show that all ciphertexts forM=0 are computationally indistinguishable from those for M=1, which is truly random following the method used in[DCIP10,BWY11].

The remaining of the section includes four parts corresponding to four phases in order. Each part begins with games involved and then proves a series of lemmas showing computational indistinguishability of these games. Putting them together, we immediately obtain the main theorem. In the proof, we define the advantage function of adversaryA inGamex.x.x as

Adv_Ax.x.x(λ):= Pr

”

Gamex.x.x,A(λ) =1

—

−1/2 .

4.3.2 Phase 1: Prelude

All games used in Phase 1 is defined in Figure8.

Lemma 5 (Game₀≈Game₁) For any probabilistic polynomial time adversary A making QK key extraction queries and Q_C challenge queries, there exists an adversary_Bsuch that

Adv0_A(λ)−Adv1_A(λ)_¶AdvSD1_B (λ)

Initialize

G:= (N,G,GT,e)←GrpGen(1λ) fori_∈[5]dog_i←Gp

i v₅←ZN

G:=g₁gv5

5; Ge:= g1g2

gv5

5

b

G:=g₁g₂g₃

u,u₅←ZN;w,w5←Z2Nn U:=gu₁gu5

5 ;W:=gw1g w5

5

e

U:= g₁g₂ugu5

5 ;We := g₁g₂ w

gw5

5

b

U:= g₁g₂g₃u;Wb := g₁g₂g₃ w

β← {0, 1}

return G,G,U,W,g₅

Extract₍ID)

ifID∈ChIDthen return⊥ ExID:=ExID∪ {ID} r,r₄,r₄0 ←ZN K:=Gb

r_gr4

4

K0:=H(Ub,Wb,ID)rg r0

4

4

K0:₌ g₂g₃R0(ID)·r

·H(Ub,Wb,ID) r_gr40

4 return K,K0

Game0, Game1 , Game2.0 R0:IdSp→ZN

Challenge(ID∗,M∗₀,M∗₁) ifID∗∈ExIDthen return⊥

ChID:₌ChID∪ {ID∗} ifM∗_β=0then

s,s₅,s0₅←ZN C:₌H(U,W,ID)sgs5

5

C:=H(Ue,We,ID)sg s5

5

C:=gR0(ID∗)·s

2 ·H(Ue,We,ID)sg s₅ 5

C0:₌Gsgs05

5

C0:=Ge s_gs05

5 else

C,C0_←Sample_G() return C,C0

Finalize(β0₎

return(β=β0)

Figure 8: Game0,Game1,Game2.0

Proof. Given G,g₁,g₄,g₅,X₁X₂X₃,T

where T is a random element of eitherGp1 or Gp1p2, adversaryB

simulates the procedures as follows. We assumeg₂←Gp2, g3←Gp3and implicitly parseX1X2X3= g1g2g3

x

for some x∈ZN, and eitherT=g1t orT= g1g2 t

from somet∈ZN.

Initialize Samplev₅←ZN and setG:=g1·g v5

5. We implicitly defineGe:= g₁g₂

·gv5

5 andGb:=g₁g₂g₃. Sam-pleu,u₅←ZN,w,w5←Z2Nnand setU:= g

u 1g

u5

5 ,W:= g1wg w5

5 . We implicitly defineUe:= g₁g₂ u

gu5

5 ,

e

W:= g₁g₂wgw5

5 , Ub := g₁g₂g₃ u

, Wb := g₁g₂g₃ w

. Randomly pick β ← {0, 1} and outputMPK:=

G,G,U,W,g₅ .

Extract(ID) Return⊥whenID∈ChID. UpdateExID:=ExID∪ {ID}. Sampler0,r₄,r₄0 ←_ZNand set K:= X₁X₂X₃r0·gr4

4 and K0:= X1X2X3

h(u,w,ID)·r0

·gr04

4.

Output K,K0

. Here we implicitly setr:=x r0_∈ZN.

Challenge(ID∗,M∗₀,M∗₁) Return ⊥ when ID∗ ∈ ExID. Update ChID := ChID∪ {ID∗}. If M∗_β = 0, sample s0,s00₅,s000_{5 ←ZN} and set

C:₌Th(u,w,ID)·s0

·gs500

5 and C0:=T s0

·gs0005

5 .

If M∗_β =1, sample C,C0 ←Sample_G(). Output C,C0

. Here we implicitly sets ∈ZN such thats = ts0modp₁p₂.

Finalize_(β0_{) Output(β=β}0_).

The algorithmBoutputs 1 if and only ifFinalize(β0) =1, i.e., the adversaryA wins the game. Observe that ifT =g₁t∈Gp1, the simulation described above is identical toGame0; ifT= g1g2

t

∈Gp1p2,

the simulation is identical toGame₁. Therefore we can conclude thatAdv0_A(λ)−Adv_A1 (λ)_¶AdvSD1_B (λ). _ƒ Lemma 6 (Game₁₌Game_2.0) For any adversaryA, we haveAdv_A1 _{(λ) =}Adv2.0_A(λ).

Proof. Since random functionR0(·)is consistent on all possible identities in IdSp, R0(ID)for all ID∈IdSp is a single random variable independently distributed over ZN. If we sampleu0 ←ZN and set, inInitialize procedure inGame₁,

U:=g₁u0gu5

5 and Ue:= g1g2 u0

gR0

2 g u₅

5 and Ub:= g1g2g3 u0

the resulting game remains unchanged, since we in fact implicitly define

u=u0modp₁ and u=u0+R₀modp₂p₃,

which is still distributed overZN as we required inGame1. Observe that the simulation is also identical to Game2.0 withu = u0 except the definition of Ue andUb inInitialize procedure. However we note that the difference is just conceptual as both UeandUb are not given to adversary inMPK. Therefore we can conclude

thatGame₁andGame_2.0are statistically identical. ƒ

4.3.3 Phase 2: FromR0toRn

All games used in Phase 2 is defined in Figure9.

Initialize

G := (N,G,GT,e)←GrpGen(1λ, 5) fori∈[5]dogi←Gp_i

v₅←ZN;G:=g1g v5

5

e

G:= g₁g₂ gv5

5; G:= g1g3

gv5

5

b

G:=g₁g₂g₃

u,u₅←ZN;w,w5←Z2Nn U:=g₁ugu5

5 ;W:=gw1g w5

5

e

U:= g₁g₂ugu5

5 ;We := g1g2 w

gw5

5

U:= g₁g₃ugu5

5; W:= g1g3 w

gw5

5

b

U:= g₁g₂g₃u;Wb := g1g2g3 w

β← {0, 1}

return G,G,U,W,g₅

Extract(ID)

ifID∈ChIDthen return⊥ ExID:=ExID∪ {ID} r,r₄,r₄0 ←ZN K:=Gbrg

r4

4

K0:= g₂g₃Ri(ID)·r

·H(Ub,Wb,ID)rg r0

4

4

K0:= g₂g₃Ri+1(ID)·r

·H(Ub,Wb,ID)rg r0

4

4 return K,K0

Finalize_(β0₎

return(β=β0)

Game_2.i, Game2.i.1 , Game2.i.2 Ri:IdSp→ZN

Challenge(ID∗,M∗₀,M∗₁) ifID∗∈ExIDthen return⊥ ChID:=ChID∪ {ID∗}

ifM∗_β=0andID∗[i+1] =0then s,s₅,s₅0 ←ZN;

C:=gRi(ID∗)·s

2 ·H(Ue,We,ID∗) s_gs5

5

C:=gRi+1(ID∗)·s

2 ·H(Ue,We,ID∗)sg s5

5

C0=Ge s_gs05

5

elifM∗_β=0andID∗[i+1] =1then s,s₅,s₅0 ←ZN

C:=gRi(ID∗)·s

2 ·H(Ue,We,ID∗)sg s5

5

C:=gRi(ID∗)·s

3 ·H(U,W,ID∗) s_gs₅

5

C:=gRi+1(ID∗)·s

3 ·H(U,W,ID∗) s_gs5

5

C0:=Gesg s0

5

5

C0:=Gsgs05

5

else

C,C0_←Sample_G() return C,C0

Figure 9:Game2.i(i∈[0,n]),Game2.i.1(i∈[0,n−1]),Game2.i.2(i∈[0,n−1])

Lemma 7 (Game2.i≈Game2.i.1) For any probabilistic polynomial time adversaryA making QK key extraction queries and QC challenge queries, there exists an adversaryBsuch that

Adv2._Ai(λ)−Adv_A2.i.1(λ)_¶AdvSD2_B (λ)

andTime₍B)≈Time₍A) + (QC+QK)·poly(λ,n)wherepolyis independent ofA.

Proof.Given G,g₁,g₄,g₅,X₂X₅,Y₂Y₃,T

whereT is a random element of eitherGp2p5 orGp3p5, adversaryB

simulates the procedures as follows. We assume g₂←Gp₂, g3←Gp3and implicitly parseX2X5= g2g5

x for somex∈ZN,Y2Y3= g2g3

y

for some y∈ZN and eitherT = g2g5 t

orT= g₃g₅t for somet∈ZN.

Initialize Sample v₅←ZN and set G:= g1g v5

5. We implicitly defineGe := g1g2

gv5

5, G:= g1g3

gv5

5 and

b

G:=g₁g₂g₃. Sampleu,u₅←ZN andw,w5←Z2Nn, and setU:=g u 1g

u5

5 andW:=g1wg w5

5 . We implicitly defineUe:= g₁g₂

u gu5

5 ,We := g₁g₂ w

gw5

5 ,U:= g1g3 u

gu5

5 ,W:= g1g3 w

gw5

5 ,Ub:= g₁g₂g₃ u

and

b