(Hierarchical) Identity-Based Encryption from Affine Message Authentication

(1)

(Hierarchical) Identity-Based Encryption from Affine

Message Authentication

Olivier Blazy

Eike Kiltz

Jiaxin Pan

Faculty of Mathematics Horst Görtz Institute for IT-Security

Ruhr University Bochum, Germany {olivier.blazy,eike.kiltz,jiaxin.pan}@rub.de

Abstract

We provide a generic transformation from any affine message authentication code (MAC) to an identity-based encryption (IBE) scheme over pairing groups of prime order. If the MAC satisfies a security notion related to unforgeability against chosen-message attacks and, for example, the k-Linear assumption holds, then the resulting IBE scheme is adaptively secure. Our security reduction is tightness preserving, i.e., if the MAC has a tight security reduction so has the IBE scheme. Fur-thermore, the transformation also extends to hierarchical identity-based encryption (HIBE). We also show how to construct affine MACs with a tight security reduction to standard assumptions. This, among other things, provides a tightly secure IBE in the standard model.

Keywords: IBE, HIBE, standard model, tight reduction

1 Introduction

Identity-based encryption (IBE) [28] enables a user to encrypt to a recipient’s identityid(e.g., an email or phone number), and decryption can be done using a user secret key forid, obtained by a trusted authority. The first instantiations of an IBE scheme were given in 2001 [9, 6, 27]. Whereas earlier constructions relied on the random oracle model, the first adaptively secure construction in the standard model was proposed in [30]. Here adaptive security means that an adversary may select the challenge identityid∗ after seeing the public key and arbitrarily many user secret keys for identities of his choice. The concept of IBE generalizes naturally to hierarchical IBE (HIBE). In an L-level HIBE, hierarchical identities are vectors of identities of maximal lengthLand user secret keys for a hierarchical identity can be delegated. An IBE is simply aL-level HIBE with L= 1.

In this work we focus on adaptively secure (H)IBE schemes in the standard model. The construction from [30] has the disadvantage of a non-tight security reduction, i.e., the security reduction reducing security of theL-level HIBE to the hardness of the underlying assumption loses at least a factor of QL_,

where Qis the maximal number of user secret key queries. Modern HIBE schemes [29, 8] only lose a factorQ, independent ofL. The first tightly secure IBE was recently proposed by Chen and Wee [8] but designing aL-level HIBE for L >1and a tight (i.e., independent ofQ) security reduction to a standard assumption remains an open problem.

(2)

any pseudorandom function (PRF) plus a non-interactive zero-knowledge (NIZK) proof into a signature scheme. Until today no generic construction of a (H)IBE from any “simple” low-level cryptographic primitive is known. However, the recent IBE scheme by Chen and Wee [8] uses a specific randomized PRF at the core of their construction, but its usage is non-modular.

1.1 This Work

Affine MACs. In this work we put forward the notion ofaffine message authentication codes (affine

MACs). An affine MAC over _Zn

q is a (randomized) MAC with a special algebraic structure over some

group _G = hgi of prime-order q. For a vector a ∈ _Zn

q, define [a] := aP = (a1P, . . . ,anP)> ∈ Gn as

the implicit representation of a over _G. Roughly speaking, the MAC tag τm = ([t],[u]) of an affine

MAC over _Zn

q on message m ∈ M is split into a random message-independent part [t] ∈ Gn plus a

message-depending affine part[u]∈_Gsatisfying

u=Xfi(m)x>i ·t+

X

f_i0(m)x0_i∈_Zq, (1)

where fi, fi0 :M →Zq are public functions andxi ∈Znq,x0i∈Zq are from the secret keyskMAC. Almost

all group-based MACs recently considered in [12], as well as the MAC derived from the randomized Naor-Reingold PRF [25] implicitly given in [8] are affine.

From Affine MACs to (H)IBE.Let us fix (possibly symmetric) pairing groupsG1,G2,GT equipped

with a bilinear mape:G1×G2→GT. Let Dk-MDDH be any Matrix Diffie-Hellman Assumption [13]∗

that holds inG1, e.g.,k-Linear orDDH.

Our main result is a generic transformation IBE[MACn,Dk] from any affine message authentication

code MACn overZnq into an IBE scheme. If MACn (defined overG2) isPR-CMA-secure (pseudorandom against chosen message attacks, a decisional variant of the standardUF-CMAsecurity for MACs) and the Dk-MDDH assumption holds in G1, then IBE[MACn,Dk]is an adaptively secure (and anonymous) IBE

scheme. Furthermore, the security reduction ofIBE[MACn,Dk]is as tight as the one ofMACn. The size of

the public IBE parameters depends on the size of the MAC secret keyskMAC, whereas the IBE ciphertexts

and user secret keys always contain n+k+ 1group elements. We stress that our transformation works with anyk≥1and anyDk-MDDHAssumption, henceDkcan be chosen to match the security assumption

ofMACn.

We also extend our generic transformation to HIBE schemes. In particular, we have two generic HIBE constructions depending on different properties of the underlying affine MACs. If the affine MAC isdelegatable(to be defined in Section 5.1), we obtain an adaptively secureL-level HIBEHIBE[MACn,Dk].

Furthermore, if the affine MAC is delegatable andanonymity-preserving(to be defined in Section 5.5), we obtain an anonymous and adaptively secureL-level HIBEAHIBE[MACn,Dk]. Both of the constructions

have the same tightness properties as the MAC, and their ciphertexts sizes are the same as in the IBE case. Due to different delegation methods,AHIBE[MACn,Dk]has slightly shorter public parameters, but

larger user secret keys than HIBE[MACn,Dk].

Let us highlight again the fact that the underlying object is a symmetric primitive (a MAC) that we transform to an asymmetric primitive (an IBE scheme). Furthermore, as a MAC is a very simple and well-understood object, we hope that our transformation can contribute to understanding the more complex object of an IBE scheme.

Two Constructions of Affine MAC. To instantiate our transformations, we consider two specific

affine MACs. Our first construction,MACNR[Dk], is a generalization of the MAC derived from the affine

Naor-Reingold PRF [8] to any Dk-MDDH Assumption. (Unfortunately, the MAC based on the original

deterministic Naor-Reingold PRF [25] is not affine.) We show that it is affine over Znq withn=k. We

prove itsPR-CMA-security with an (almost) tight security reduction toDk-MDDH. (Almost tight, as the

security reduction loses a factorO(m), wheremis the length of the message space.) This leads to a more efficient IBE (compared with [8]) with a tight security reduction to a standard assumption. Ciphertexts

∗_The_D

k-MDDHassumption overG1 captures naturally all subspace decisional assumptions over prime order groups.

Concretely, it states that given[A]1∈G(k+1)×k, the value[A·w]1 ∈Gk+11 is pseudorandom, whereA∈Z (k+1)×k q gets

(3)

Scheme |pk| |usk| |C| Anon. Loss Assumption

Wat05[30] (4 +λ)|G1| 2|G2| 2|G1| – O(λQ) DBDH

Wat09[29] 12|G1|+|GT| 8|G2|+|Zq| 9|G1|+|Zq| – O(Q) 2-LIN

Lew12[22] 24|G1|+|GT| 6|G2| 6|G1|

√

O(Q) 2-LIN CLL+₁₂

[7] 8|G1|+|GT| 4|G2| 4|G1| – O(Q) SXDH

JR13[17] 6|G1|+|GT| 5|G2| 3|G1|+|Zq| – O(Q) SXDH

CW13[8] 2k2₍₂_λ_{+ 1)}_|G

1|+k|GT| 4k|G2| 4k|G1| – O(λ) k-LIN

IBEHPS (3k2+ 4k)|G1| (2k+ 2)|G2| (2k+ 2)|G1|

√

O(Q) k-LIN IBENR (2λk2+ 2k)|G1| (2k+ 1)|G2| (2k+ 1)|G1|

√

O(λ) k-LIN Wat05[30] O(λL)|G1| O(λL)|G2| (1 +L)|G1| – O(λQ)L DBDH

Wat09[29] O(L)|G1| O(L)(|G2|+|Zq|) O(L)(|G1|+|Zq|) – O(Q) 2-LIN

CW13[8] O(Lk2₎₍_|G

1|+|G2|) O(Lk)|G2| (2k+ 2)|G1| – O(Q) k-LIN

HIBEHPS O(Lk2)(|G1|+|G2|) O(Lk)|G2| (2k+ 2)|G1| – O(Q) k-LIN

AHIBEHPS O(Lk2)|G1| O(Lk2)|G2| (2k+ 2)|G1|

√

O(Q) k-LIN

Table 1: Top: comparison between known adaptively secure IBEs with identity-spaceID={0,1}λ

in prime order groups from standard assumptions. We count the number of group elements inG1,G2, andGT. Qis the number of user secret key queries by the adversary. ‘Anon.’ stands for anonymity. HereIBEHPS:=IBE[MACHPS[Dk], k-LIN],

IBENR:=IBE[MACNR[Dk], k-LIN]are from this paper. Bottom: comparison ofL-level HIBEs with identity-space ID = ({0,1}λ₎L_. _HIBE

HPS :=HIBE[MACHPS[Dk], k-LIN] andAHIBEHPS :=AHIBE[MACHPS[Dk], k-LIN]are from this paper.

and user secret keys of IBE[MACNR[Dk],Dk] only contain2k+ 1 group elements which is 3 in case we

use k = 1 and the SXDH Assumption (i.e., DDH in _G1 and G2). Interestingly, our SXDH-based IBE scheme (given explicitly in Appendix D) can be seen as a “two-copy version” of Waters’ IBE [30] which does not have a tight security reduction. The disadvantage of MACNR[Dk]is that the public parameters

ofIBE[MACNR[Dk],Dk]are linear in the bit-size of the identity space.

Our second construction, MACHPS[Dk], is based on a hash proof system given in [13] for any Dk

-MDDH problem. A hash proof system is known to imply a UF-CMA-secure MAC [12]. We extend

this result to PR-CMA-security, where the reduction loses a factor of Q, the number of MAC queries. Furthermore, MACHPS[Dk] is affine over Zqk+1 (i.e., n = k+ 1) and delegatable. Whereas public

pa-rameters of theL-level HIBEHIBE[MACHPS[Dk],Dk]only depend onL, ciphertexts and user secret keys

contain 2k+ 2 group elements which is 4 in case of the SXDH assumption (k = 1). We remark that the efficiency of HIBE[MACHPS[Dk],Dk] is roughly the same as a HIBE proposed in [8]. Additionally,

we show MACHPS[Dk]is also anonymity-preserving, which implies an anonymous (but non-tight) HIBE,

AHIBE[MACHPS[Dk],Dk].

Table 1 summarizes all known (H)IBE scheme and their parameters.

Extensions. In fact, our generic transformation even gives (hierarchical) ID-based hash proof system from any (delegatable) affine MAC and the Dk-MDDH assumption. From an (H)ID-based hash proof

system one readily obtains anIND-ID-CCA-secure (H)IBE [20]. Furthermore, any (H)IBE directly implies a (Hierarchical ID-based) signature scheme [14, 18]. The signature obtained from IBE[MACNR[Dk],Dk]

has a tight security reduction. Even though it is not entirely structure preserving, it can still be used to obtain a constant-size IND-CCA-secure public-key encryption scheme with a tight security reduction in the multi-user and multi-challenge setting [16, 4].

Follow-up Work. Recently, our generic transformation (from an affine MAC to an IBE) has been

extended to construct quasi-adaptive non-interactive zero-knowledge proof systems for linear subspaces [21] and (linearly homomorphic) structure-preserving signature schemes [21, 19].

1.2 Technical Details

Our Transformation. The high level idea behind our generic transformationIBE[MAC,Dk]from any

affine MAC overZnq to an IBE scheme is the transformation from Bellare and Goldwasser [2] from a MAC

(4)

secret keys to be Bellare-Goldwasser signatures. The (H)IBE encryption functionality makes use of the special properties of the algebraic MAC and (tuned) Groth-Sahai proofs.

Concretely, the public keypkof the IBE scheme contains special perfectly hiding commitments[Z]1 to the MAC secret keys skMAC, which also depend on the Dk-MDDH assumption. The user secret key

usk[id] of an identity id contains the MAC tag τid = ([t]2,[u]2) ∈ Gn2+1 on id, plus a tuned Groth-Sahai [15] non-interactive zero-knowledge (NIZK) proof πthat τid was computed correctly with respect

to the commitments [Z]1 containing skMAC. Since the MAC is affine, the NIZK proof π ∈ Gk is very

compact. The next observation is that the NIZK verification equation for πis a linear equation in the (committed) MAC secret keys and hence a randomized version of it gives rise to the IBE ciphertext and a decryption algorithm.

Security Proof. The security proof can also be sketched easily at a high level. We first apply a

Cramer-Shoup argument [10], where we decrypt the IBE challenge ciphertext using the MAC secret key skMAC. Next, we make the challenge ciphertext inconsistent which involves one application of the

Dk-MDDH assumption. Now we can use the NIZK simulation routine to simulate the NIZK proof π

from the user secret key usk[id] = (τid, π). At this point, as the commitments perfectly hide the MAC

secret keys skMAC, the only part of the security experiment still depending on skMAC is τid from usk[id]

plus the computation of the challenge ciphertext. Now we are in the position to make the reduction to the symmetric primitive. We can use thePR-CMAsymmetric security of MACto argue directly about the pseudorandomness of the IBE challenge ciphertext. An IBE with pseudorandom ciphertexts is both IND-CPA secure and anonymous.

1.3 Other Related Work

Recently, Wee [31] proposed an information-theoretic primitive calledpredicate encodings that character-ize the underlying algebraic structure of a number of predicate encoding schemes, including known IBE [24] and attribute-based encryption (ABE) [23] schemes. The main conceptual difference to affine MACs is that predicate encodings is a purely information-theoretic object. Furthermore, the framework by Wee is inherently limited to composite order groups.

Waters introduced the dual system framework [29] in order to facility tighter proofs for (H)IBE systems and beyond. The basic idea is that there exists functional and semi-functional ciphertexts and user secret keys, that are computationally indistinguishable. Decrypting a ciphertext with a user secret key is successful unless both are semi-functional. The Dk-MDDH assumptions are specifically tailored

to the dual system framework as they provide natural subspace assumptions over _Gk+1_{. Previous dual} system constructions [29, 24, 8] usually first construct a scheme over composite-order groups and then transform it into prime-order groups. As the transformation uses a subspace assumption over_Gk+1 _for each component of the composite-order group, ciphertexts and user secret keys contain at least2(k+ 1)

group elements. An exception is a recent direct construction in prime-order groups by Jutla and Roy [17]. Their scheme is based on the SXDHassumption(i.e., k= 1)and achieves slightly better ciphertext size of 3 group elements plus one element fromZq. Even though our construction and proof strategy

is inspired by the Bellare-Goldwasser NIZK approach and Cramer-Shoup’s hash proof systems, we still roughly follow the dual system framework. However, as we give a direct construction in prime-order groups, our IBE schemeIBE[MACNR[Dk],Dk]has ciphertexts and user secret keys of size2k+ 1, breaking

the “2(k+ 1)barrier”.

1.4 Open Problems

We leave finding aPR-CMA-secure algebraic MAC with a tight security reduction and constant-size secret keys as a main open problem. Given our main result this would directly imply a tightly-secure IBE with constant-size public parameters. Furthermore, we leave finding a tightly-secure (anonymity-preserving) delegatable affine MAC as an open problem, which would imply a tightly-secure (anonymous) HIBE.

(5)

1.5 Publication Info

An extended abstract of this work appeared in the proceedings of CRYPTO 2014 [5]. Theorem 4 of [5] claimed that MACNR[Dk]is a tightly-secure delegatable affine MAC (implying a tightly-secure HIBE by

our transformation in Section 5.4). We removed this theorem because its proof contained a flaw. This was pointed out by Jie Chen.

2 Definitions

2.1 Notation

If x∈ Bn_{, then}_|_x_|_{denotes the length}_n _{of the vector. Further,}_x_{← B}$ _{denotes the process of sampling}

an elementxfrom setB uniformly at random. IfA∈Zq(k+1)×n is a matrix, then A∈Zkq×n denotes the

upper matrix of Aand thenA∈_Z1×k

q denotes the last row ofA.

Games. We use games for our security reductions. A game G is defined by proceduresInitialize and

Finalize, plus some optional proceduresP1, . . . ,Pn. All procedures are given using pseudo-code, where

initially all variables are undefined. An adversary A is executed in game G if it first calls _Initialize, obtaining its output. Next, it may make arbitrary queries to_Pi (according to their specification), again

obtaining their output. Finally, it makes one single call to_Finalize(·)and stops. We defineGAas the output ofA’s call to_Finalize.

2.2 Pairing groups and Matrix Diffie-Hellman Assumption

Let GGen be a probabilistic polynomial time (PPT) algorithm that on input 1λ _{returns a description}

G= (G1,G2,GT, q,P1,P2, e)of asymmetric pairing groups whereG1,G2,GT are cyclic groups of orderq

for aλ-bit primeq,P1andP2are generators ofG1andG2, respectively, ande:G1×G2is an efficiently computable (non-degenerated) bilinear map. DefinePT :=e(P1,P2), which is a generator inGT.

We use implicit representation of group elements as introduced in [13]. Fors∈ {1,2, T} anda∈Zq

define[a]s=aPs∈Gsas theimplicit representationofainGs. More generally, for a matrixA= (aij)∈ Znq×mwe define[A]sas the implicit representation ofAinGs:

[A]s:=





a11Ps ... a1mPs

an1Ps ... anmPs



∈G

n×m s

We will always use this implicit notation of elements inGs, i.e., we let [a]s ∈Gs be an element in Gs. Note that from[a]s∈Gs it is generally hard to compute the valuea(discrete logarithm problem in Gs). Further, from [b]T ∈GT it is hard to compute the value [b]1∈G1 and[b]2∈G2 (pairing inversion problem). Obviously, given [a]s ∈ Gs and a scalar x ∈ Zq, one can efficiently compute [ax]s ∈ Gs.

Further, given [a]1,[a]2 one can efficiently compute [ab]T using the pairing e. For a,b ∈ Zkq define e([a]1,[b]2) := [a>b]T ∈GT.

We recall the definition of the matrix Diffie-Hellman (MDDH) assumption [13].

Definition 2.1 (Matrix Distribution) Let k ∈ _N. We call Dk a matrix distribution if it outputs

matrices in Z(qk+1)×k of full rank kin polynomial time.

Without loss of generality, we assume the first k rows of A_{← D}$

k form an invertible matrix. The Dk

-Matrix Diffie-Hellman problem is to distinguish the two distributions ([A],[Aw]) and ([A],[u]) where

A_{← D}$

k, w←$ Zkq andu←$ Zkq+1.

Definition 2.2 (Dk-Matrix Diffie-Hellman AssumptionDk-MDDH) Let Dk be a matrix

distribu-tion ands∈ {1,2, T}. We say that theDk-Matrix Diffie-Hellman (Dk-MDDH) Assumption holds relative

toGGen in group_Gs if for all PPT adversariesD,

AdvDk,GGen(D) :=|Pr[D(G,[A]s,[Aw]s) = 1]−Pr[D(G,[A]s,[u]s) = 1]|=negl(λ),

where the probability is taken overG_←$ _GGen₍₁λ₎_,_A_{← D}$

k,w←$ Zkq,u $

(6)

For eachk≥1, [13] specifies distributionsLk,Ck,SCk, ILk such that the corresponding Dk-MDDH

assumption is the k-Linear assumption, the k-Cascade, thek-Symmetric Cascade, and the Incremental

k-Linear Assumption, respectively. All assumptions are generically secure in bilinear groups and form a hierarchy of increasingly weaker assumptions. The distributions are exemplified for k = 2, where

a1, . . . , a6←$ Zq.

C2:A=





a1 0

1 a2

0 1



 SC2:A= 



a1 0

1 a1

0 1



 L2:A= 



a1 0

0 a2

1 1



 U2:A= 



a1 a2

a3 a4

a5 a6



.

It was also shown in [13] that Uk-MDDH is implied by all otherDk-MDDHassumptions. IfAis chosen

fromSCk, then[A]scan be represented with1group element; ifAis chosen fromLk orCk, then[A]scan

be represented withkgroup elements; IfAis chosen fromUk, then[A]scan be represented with(k+ 1)k

group elements. Hence, SCk-MDDH offers the same security guarantees as k-Linear, while having the

advantage of a more compact representation.

Let m ≥ 1. For W _←$

Zkq×m,U ←$ Z

(k+1)×m

q , consider the m-fold Dk-MDDH problem which is

distinguishing the distributions ([A],[AW]) and ([A],[U]). That is, the m-fold Dk-MDDH problem

containsm independent instances of theDk-MDDH problem (with the sameA but differentwi). By a

hybrid argument one can show that the two problems are equivalent, where the reduction loses a factor

m. The following lemma gives a tight reduction.

Lemma 2.3 (Random self reducibility [13]) For any matrix distribution Dk,Dk-MDDHis random

self-reducible. In particular, for any m≥1,

AdvDk,GGen(D) +

1

q−1 ≥Adv m

Dk,GGen(D

0_{) := Pr[}_D0₍_G_,_[_A_]_,_[_AW_])_⇒_1]₋_Pr[_D0₍_G_,_[_A_]_,_[_U_])_⇒_1]_,

with G ←GGen(1λ),A_{← D}$ _k,_W_←$

Zkq×m,U←$ Z

(k+1)×m

q .

3 Message Authentication Codes

We use the standard definition of a (randomized) message authentication codeMAC= (GenMAC,Tag,Ver),

whereskMAC←$ GenMAC(par)returns a secret key,τ ←$ Tag(skMAC,m)returns a tagτ on messagemfrom

some message spaceM, andVer(skMAC,m, τ)∈ {0,1}returns a verification bit.

3.1 Affine MACs

Affine MACs over_Zn

q are group-based MACs with a specific algebraic structure.

Definition 3.1 Letparbe system parameters containing a groupG= (G2, q, g2)of prime-orderqand let

n∈N. We say that MAC= (GenMAC,Tag,Ver)is affine overZnq if the following conditions hold:

1. GenMAC(par)returns skMAC containing(B,x0, . . . ,x`, x00, . . . , x0`0), whereB∈_Zn×n 0

q ,xi∈Znq,x0j ∈ Zq, for somen0, `, `0∈N. We assume B has rank at least one.

2. Tag(skMAC,m∈ B`)returns a tagτ = ([t]2,[u]2)∈Gn2×G2, computed as

t = Bs∈Znq fors $

←Zn

0

q (2)

u = `

X

i=0

fi(m)x>_i t+ `0

X

i=0

f_i0(m)x0_i∈Zq (3)

for some public defining functionsfi:M →Zq andfi0:M →Zq. Vectorscan be generated either

pseudorandomly (cf. MACNR[Dk]) or randomly (cf. MACHPS[Dk]) and u is the (deterministic)

message-depending part.

(7)

Initialize:

skMAC←$ GenMAC(par)

Returnε

Eval(m):

QM=QM∪ {m}

Return([t]2,[u]2)←$ Tag(skMAC,m)

Chal(m∗): //one query

h_←$ Z∗q

h0=Pfi(m∗)xi·h∈Znq;h1=Pfi0(m ∗

)x0i·h∈Zq

h0 ←$ Znq;h1←$ Zq Return([h]1,[h0]1,[h1]T)

Finalize(d∈ {0,1}): Returnd∧(m∗∈ QM/ )

Figure 1: Games PR-CMAreal and PR-CMArand for definingPR-CMA security. In all procedures, the boxed

statements redefining(h0, h1)are only executed in gamePR-CMArand.

The standard security notion for probabilistic MACs is unforgeability against chosen-message attacks UF-CMA [12]. In this work we require pseudorandomness against chosen-message attacks (PR-CMA), which is slightly stronger than UF-CMA. Essentially, we require that the values used for one single verification equation (3) on messagem∗ are pseudorandom overG1and GT.

LetG= (G1,G2,GT, q, g1, g2, e)be an asymmetric pairing group such that(G2, g2, q)is contained in par. We define thePR-CMAsecurity via gamesPR-CMArealandPR-CMArandfrom Figure 1. Note that the

output([h]1,[h0]1,[h1]T)ofChal(m∗)in gamePR-CMArealcan be viewed as a “token” for messagem∗to

check verification equation (3) for arbitrary tags([t]2,[u]2)via equatione([h]1,[u]2) ?

=e([t]1,[h0]1)·[h1]T.

Intuitively, the pseudorandomness of [h1]T is responsible for indistinguishabilty and of [h0]1 to prove anonymity of the IBE scheme.

Definition 3.2 An affineMACoverZnq isPR-CMA-secure if for all PPTA,Adv pr-cma

MAC (A) := Pr[PR-CMA

A

real

⇒1]−Pr[PR-CMAA_rand⇒1]is negligible, where the experiments are defined in Figure 1.

3.2 An Affine MAC from the Naor-Reingold PRF

Unfortunately, the (deterministic) Naor-Reingold pseudorandom function is not affine. LetPRF:M →

Zkq be a pseudorandom function and we use the following randomized versionMACNR[Dk] = (GenMAC,Tag,

Ver)of it based on any matrix assumptionDk. For the special caseDk =Lk, it was implicitly given in

[8]. Recall that, for any matrixA∈Z(qk+1)×k we denote the upperkrows byA∈Zkq×k and the last row

byA∈Z1q×k.

GenMAC(par):

A_{← D}$

k;B:=A∈Zkq×k

x1,0, . . . ,xm,1←$ Zqk;x00←$ Zq

skMAC= (B,x1,0, . . . ,xm,1, x00) ReturnskMAC

Tag(skMAC,m):

s_←$

Zkq,t=Bs u= (P|_i=1m| x>i,mi)t+x

0 0∈Zq Returnτ= ([t]2,[u]2)∈Gk2×G2

Ver(skMAC, τ,m):

Ifu= (P|_i=1m| x>i,mi)t+x 0 0 then return 1;

Else return 0.

Note thatMACNR[Dk]isn-affine overZnq with message spaceM={0,1}m. Writingxi,b=x2i+b we have n=n0 =k,`0= 0, `= 2m+ 1and functionsf0(m) =f1(m) = 0,f00(m) = 1, andf2i+b(m) = (mi=b)for 1 ≤i≤m. (To perfectly fit our definition,xi,b should be renamed to x2i+b, but we conserve the other

notations for better readability.)

We showMACNR[Dk]satisfies a weaker version of PR-CMAsecurity, calledPR-CMA0 security, where an adversary is allowed to query _Evalon each message mat most once. PR-CMA0 can be converted to PR-CMAsecurity by generatingsusing a pseudo-random functionPRFonmsuch thatTagis determin-istic.

Theorem 3.3 MACNR[Dk] is tightly PR-CMA0-secure under theDk-MDDH assumption. In particular,

for all adversaries Athere exist adversariesB1 with T(B1)≈T(A) and

Advpr-cma0

(8)

Initialize: // GamesG0, G1,i,G2

A_{← D}$ k

Forj= 1, . . . , m:xj,0,xj,1←Zkq x00←$Zq; x00is undefined Returnε

Chal(m∗): // GamesG0, G1,i, G2, one query h_←$

Zq; x00=RFi(m∗|i)

h0= (Pm_j=1xj,m∗

j)·h;h1=x 0

0·h∈Zq

h0←$ Zkq;h1←$ Zq Return([h]1,[h0]1,[h1]T)

Eval(m): // GamesG0, G1,i, G2 QM=QM∪ {m}

sm←$ Zkq;tm=Bsm

um=Pmj=1x >

j,mjtm+x 0 0 um=Pm_j=1x>j,mjtm+RFi(m|i) um←$ Zq

Return([tm]2,[um]2)

Finalize(d∈ {0,1}): // GamesG0-G2 Returnd∧(m∗∈ QM/ )

Figure 2: Games G0, G1 and G2,i (0≤ i≤ m) for the proof of Lemmas 3.4 to 3.7. RFi :{0,1}i → Zq is a random function andm|idenotes theith prefix ofm. In each procedure, a solid (dotted) frame indicates that the command is only executed in the game marked by a solid (dotted) frame.

Note that the security bound is (almost) tight, as m is the bit-length of message spaceM. The proof follows the ideas from [8, 26]. We usemhybrids, where in hybridiall the (maximalQ) valuesx>_i,₁₋_m∗

i·t

in the response to an _Eval query are replaced by uniform randomness. Here m∗ is the message from the challenge query. We use theQ-foldDk-MDDHassumption to interpolate between the hybrids, where

the reductions guessesm∗_i correctly with probability1/2. As theQ-foldDk-MDDHassumption is tightly

implied by the standardDk-MDDHassumption (Lemma 2.3), the proof follows.

We remark, that one can define an alternative version ofMACNR[Dk]by setting x0 :=Pxi,0, xi :=

xi,1−xi,0andu= (x>0 +

P|m|

i=1mix>i )t+x00. This MAC has a shorter secret key and can also be shown to bePR-CMA. (However, it does not satisfy the stronger security notion ofHPR-CMAneeded in Section 5.)

Proof of Theorem 3.3: LetAbe an adversary against thePR-CMA-security ofMACNR[Dk]. We prove

Theorem 3.3 by defining a sequence of intermediate games as in Figure 2 and 4.

Game G0is the real attack game.

Lemma 3.4 Pr[PR-CMAA_real⇒1] = Pr[GA₀ ⇒1].

InG1,0, we syntactically replacex00 byRF0()which is a fixed random element.

Lemma 3.5 Pr[GA₀ ⇒1] = Pr[GA₁_,₀⇒1].

Lemma 3.6 There exists an adversaryB1 with T(B1)≈T(A) and|Pr[GA₁_,i ⇒1]−Pr[GA₁_,i₋₁ ⇒1]| ≤

2(AdvDk,GGen(B1)− 1

q−1).

Proof:LetQbe the maximal number ofEvalqueries made byA. We first build an adversaryB0_against theQ-foldDk-MDDHAssumption such that

2AdvQ_D

k,GGen(B

0₎_{≥ |}_Pr[_GA

1,i⇒1]−Pr[G

A

1,i−1⇒1]|. (4)

This implies the lemma using the random self reducibility of the MDDHassumption (Lemma 2.3).

On input of a Q-fold Dk-MDDH challenge ([A]2,[H]2)∈G(2k+1)×k×G (k+1)×Q

2 ,B0 first picks a random bitbwhich is a guess form∗_i. LetRFi−1andRF0i−1be two independent random functions (defined on the fly) which we use to define

RFi(m|i) =

(

RFi−1(m|i−1) mi=b

(9)

Initialize: b_{← {}$ ₀_,₁_}

Forj= 1, . . . , mandj0= 0,1 :

Ifj6=iorj0=bthenxj,j0 ←$ _Zk_q r_←$

Zk+1q ;x >

i,1−bA:=r >

A∈Zkq Returnε

Chal(m∗): Abort ifm∗i 6=b. h_←$

Zq;x00=RFi−1(m∗|i−1)

h0= (Pm_j=1xj,m∗_j)h∈Zkq h1=x00h∈Zq

Return([h]1,[h0]1,[h1]T)

Eval(m):

QM=QM∪ {m} c:=αi(m|i)

s0m←$ Zkq;tm=As0m+Hc

um=

(

(P|_j=1m| x>j,mj)tm+RFi−1(m|i−1) mi=b

(P j6=ix

>

j,mj)tm+r >

(As0m+Hc) +RFi−1(m|i−1) mi= 1−b Return([tm]2,[um]2)

Finalize(d∈ {0,1}): Returnd∧(m∗∈ QM/ )

Figure 3: Description of B0(G,[A]2,[H]2)interpolating between the Games G1,i andG1,i−1, whereHc denotes thec-th column ofH andαi:{0,1}i→ {1, . . . , Q}is an injective function.

The construction ofB0_{is described in Figure 3. Note that if}_RF

i−1andRF0i−1are random functions, then RFi is a random function.

Assume B0 _{correctly guesses}_b₌_m∗

i (which happens with probability1/2). By the definition ofRFi and

by m∗

i =b we have RFi(m∗_|i) =RFi−1(m∗_|i−1), which impliesChal(m∗) is identically distributed inG1,i

andG1,i−1.

We now analyze the output distribution of the _Eval queries. First note that t is uniformly random over _Zk

q in both gamesG1,i and G1,i−1. As for the distribution of u, we only need to consider the case mi = 1−b, sinceum formi =b is identically distributed in gamesG1,i andG1,i−1. Assumemi = 1−b.

WriteHc=AWc+Rc for someWc ∈_Zk

q, whereRc= 0(i.e.,His from theDk-MDDHdistribution) or Rc is uniform. Then,

um=

X

j6=i

x>_j,_m_jtm+r>A(s0m+Wc) +r

>_Rc₊_RF

i−1(m|i−1)

=X j6=i

x>j,mjtm+x

>

i,1−bA(s0m+Wc)

| {z }

tm

+r>Rc+RFi−1(m|i−1)

=

|m|

X

j=0

x>_j,_m_jtm+r>Rc+RFi−1(m|i−1).

If Rc = 0, then um is distributed as in game G1,i−1. IfRc is uniform, then define RF0(m|i−1) :=r>Rc anduis distributed as inG1,i.

Lemma 3.7 Pr[GA₁_,m⇒1] = Pr[GA₂ ⇒1]

Proof: In G1,m, the values um computed in Eval(m) are masked by RFm(m)and are hence uniformly

random for distinctm.

Finally, we do all the previous steps in reverse order, as shown in Figure 4, where the index iof hybrid H1,istarts withmand ends with 0. Clearly,H2=G2 andH0=PR-CMArand. Following the arguments of

Lemmas 3.5 to 3.7 in reverse order, one obtains the following lemma.

(10)

Initialize: // GamesH0,H1,i, H2

B_←$

Zkq×k; x 0 0 ←$Zq

Fori= 1, . . . , m:xi,0,xi,1←Zkq Returnε

Chal(m∗): //GamesH0-H2, one query h_←$

Zq h0←$ Zkq;h1←$ Zq Return([h]1,[h0]1,[h1]T)

Eval(m): // GamesH0, H1,i, H2 QM=QM∪ {m}

sm←$ Zkq;tm=Bsm

um←$ Zq um= (Pmj=1x

>

j,mj)tm+RFi(m|i) um= (Pmj=1x

>

j,mj)tm+x 0 0 Return([tm]2,[um]2)

Finalize(d∈ {0,1}): // GamesH0-H2 Returnd∧(m∗∈ QM/ )

Figure 4: GamesH0,H1,i (m≥i≥0) andH2 for the proof of Lemma 3.8.

This completes the proof of Theorem 3.3.

3.3 An Affine MAC from Hash Proof System

Let Dk be a matrix distribution. We now combine the hash proof system for the subset membership

problem induced by the Dk-MDDH assumption from [13] with the generic MAC construction from [12]

and obtain the following MACHPS[Dk]forM=Z`q.

GenMAC(par):

B_{← D}$ k

x0, . . . ,x`←$ Zk+1q x00←$ Zq

ReturnskMAC= (B,x0, . . . ,x`, x00)

Tag(skMAC,m):

s_←$ Zkq

t=Bs∈Zk+1q u= (x>0 +

P|m| i=1mi·x

>

i )t+x00∈Zq Returnτ= ([t]2,[u]2)∈Gk+12 ×G2

Ver(skMAC, τ,m):

Ifu= (x>0 + P|m|

i=1mi·x > i)t+x00 then return 1

Else return 0

Note thatMACHPS[Dk]isn-affine overZnq withn=k+1,n0=k,`0 = 0, and defining functionsf0(m) = 1,

fi(m) =mi, andf00(m) = 1, wheremi is the i-th component ofm. For the moment we use `= 1which

already gives a MAC with exponential message spaceM=Zq.

Combining [13, 12] we obtain thatMACHPS[Dk] is UF-CMAunder the Dk-MDDH assumption. The

proof extends to show evenPR-CMAsecurity. Compared toMACNR[Dk], we lose the tight reduction, but

gain much shorter public parameters.

Theorem 3.9 MACHPS[Dk] is PR-CMA-secure under the Dk-MDDH assumption. In particular, for all

adversariesAthere exists an adversaryDwithT(A)≈T(D)andAdvpr_MAC-cma

HPS[Dk](A)≤2Q(AdvDk,GGen(D)+

1/q), whereQ is the maximal number of queries toEval(·).

Proof:We prove Theorem 3.9 by defining a sequence of intermediate games as in Figure 5. LetAbe an adversary against thePR-CMA-security ofMACHPS[Dk]. GameG0is the real attack game. In gamesG1,i,

the first i−1 queries to theEval oracle are answered with uniform values inGk2+1×G2 and the rest are answered as in the real scheme. To interpolate between G1,i andG1,i+1, we also defineG01,i, which

answers thei-th query toEvalby picking a randomt_←$

Zkq+1. By definition, we haveG0=G1,1.

Lemma 3.10 Pr[PR-CMAA_real⇒1] = Pr[GA

0 ⇒1] = Pr[GA1,1⇒1].

Lemma 3.11 There exists an adversary B with T(B) ≈T(A) and AdvDk,GGen(B) ≥ |Pr[G

0A

1,i ⇒1]− Pr[GA₁_,i⇒1]|.

Proof: Games G1,i and G10,i only differ in the distribution of t returned by the Eval oracle for its i

(11)

Initialize: // GamesG0-G2

B_{← D}$

k;x00←$ Zq

Forj= 0, . . . , `:xj←$ Zk+1q Returnε

Chal(m∗): //GamesG0-G1,Q+1, G2 h_←$

Zq

h0= (x0+Pm∗j·xj)h∈Zk+1q ;h1=x00h∈Zq

h0←$ Zk+1q ;h1 ←$ Zq Return([h]1,[h0]1,[h1]T)

Finalize(d∈ {0,1}): // GamesG0-G2 Returnd∧(m∗∈ QM/ )

Eval(m): //GameG2

QM=QM∪ {m}

(t, u)_←$

Zk+1q ×Zq Return([t]2,[u]2)

Eval(m): // GameG0

QM=QM∪ {m}

s_←$

Zkq,t=Bs∈Zk+1q u= (x>0 +

Pm j=1mj·x

> j)t+x

0 0 Return([t]2,[u]2)

Eval(m): // GamesG1,i,G01,i QM=QM∪ {m} // Letmbe thec-th query

(1≤c≤Q)

Ifc < ithen

(t, u)_←$

Zk+1q ×Zq Ifc > ithen

s_←$

Zkq,t=Bs;u= (x > 0+

P|m| j=1mj·x

> j)t+x

0 0 Ifc=ithen

s_←$

Zkq,t=Bs

t_←$ Zk+1q u= (x>0 +

P|m| j=1mj·x

> j)t+x

0 0 Return([t]2,[u]2)

Figure 5: GamesG0,(G1,i,G01,i)1≤i≤Q,G1,Q+1,G2 for the proof of Theorem 3.9.

Lemma 3.12 |Pr[GA₁_,i₊₁⇒1]−Pr[G0A₁_,i⇒1]| ≤1/q.

Proof: At a high level, these two games are only separated by the 2-universality of the underlying hash proof system. Letmbe thei-th query toEvaland let([t]2,[u]2)be its tag. Asm6=m∗, there exists an index i0 such thatmi0 6=m∗_i0, wheremi0 (resp. m∗_i0) denotes the i0-th entry of m(resp. m∗). We use an

information-theoretic argument to show that inG0₁_,ithe valueu−x00is uniformly random. For simplicity, we assumex00 andxj (j6∈ {0, i0}) are known toA. Information-theoretically, adversaryAmay also learn

B>_x

0andB>xi0 from thec-th query withc > i. Thus,Ainformation-theoretically obtains the following

equations in the unknown variables

x0

xi0

∈Z2(qk+1):



  

B>x0

B>xi0 h0

u−x0₀



  

=



  

B> 0 0 B> h·Ik+1 m∗i0h·Ik+1

t> mi0t>



  

| {z }

=:M∈Z(3qk+2)×(2k+2) ·

x0

xi0

whereIk+1 is the(k+ 1)×(k+ 1)identity matrix. To show thatu−x00 is linearly independent ofB>x0,

B>xi0 and h₀, we argue that the last row of M is linearly independent of all the other rows. Since t∈/ span(B)(except with probability1/q),t> is independent ofB>; bymi0 6=m∗_i0, the last row ofM is

linearly independent of rows2k+ 1to3k+ 1. We conclude thatuis uniformly random inA’s view.

Lemma 3.13 Pr[GA₂ ⇒1] = Pr[GA₁_,Q₊₁⇒1].

Proof:Note thatAcan ask at mostQ-many_Evalqueries. In bothG1,Q+1 andG2, all answers ofEval are uniformly at random and independent of the secret keys (x0₀,x0, . . . ,x`). Hence, the values h0 and

h1 fromG1,Q+1 are uniform in the view ofA.

(12)

Initialize: // GamesH0-H2

B_{← D}$

k;x00←$Zq

Forj= 0, . . . , `:xj←$Zk+1q Returnε

Chal(m∗): //GamesH0-H2 h_←$

Zq;h0←$ Zk+1q ;h1←$ Zq Return([h]1,[h0]1,[h1]T)

Finalize(d∈ {0,1}): // GamesH0-H2 Returnd∧(m∗∈ QM/ )

Eval(m): //GameH0

QM=QM∪ {m}

(t, u)_←$

Zk+1q ×Zq Return([t]2,[u]2)

Eval(m): // GamesH1,i,H01,i

QM=QM∪ {m} // Letmbe thec-th query(1≤c≤Q)

Ifc > ithen

(t, u)_←$

Zk+1q ×Zq Ifc < ithen

s_←$

Zkq,t=Bs;u= (x > 0 +

P|m| j=1mj·x

> j)t+x

0 0 Ifc=ithen

t_←$ Zk+1q

s_←$

Zkq;t=Bs∈Zk+1q u= (x>0 +

P|m| j=1mj·x

> j)t+x

0 0 Return([t]2,[u]2)

Eval(m): // GameH2

QM=QM∪ {m}

s_←$

Zkq,t=Bs u= (x>0 +

P|m| i=1mi·x

> i)t+x

0 0 Return([t]2,[u]2)

Figure 6: GamesH0,(H1,i,H01,i)1≤i≤Q,H1,Q+1,H2for the proof of Lemma 3.14.

Lemma 3.14 There exists an adversaryBwithT(B)≈T(A)andQ(AdvDk,GGen(B)+1/q)≥ |Pr[PR-CMA

A

rand

⇒1]−Pr[GA₂ ⇒1]|.

Theorem 3.9 follows by combining Lemmas 3.10-3.14.

4 Identity-based Encryption from Affine MACs

In this section, we will present our transformationIBE[MAC,Dk]from affine MACs to IBE based on the

Dk-MDDHassumption.

4.1 Identity-based Key Encapsulation

We now recall syntax and security of IBE in terms of an ID-based key encapsulation mechanismIBKEM. Every IBKEM can be transformed into an ID-based encryption scheme IBE using a (one-time secure) symmetric cipher.

Definition 4.1 (Identity-based Key Encapsulation Scheme) An identity-based key encapsulation (IBKEM) scheme IBKEM consists of four PPT algorithms IBKEM = (Gen,USKGen,Enc,Dec) with the following properties.

• The probabilistic key generation algorithmGen(1λ₎ _{returns the (master) public/secret key} ₍_pk_,_sk₎_.

We assume thatpkimplicitly defines an identity spaceID, a key spaceK, and ciphertext spaceC. • The probabilistic user secret key generation algorithm USKGen(sk,id) returns the user secret-key

usk[id]for identity id∈ ID.

• The probabilistic encapsulation algorithmEnc(pk,id)returns the symmetric keyK∈ Ktogether with a ciphertextC∈ C with respect to identityid.

• The deterministic decapsulation algorithmDec(usk[id],id,C)returns the decapsulated key K∈ K or the reject symbol⊥.

For perfect correctness we require that for allλ∈N, all pairs(pk,sk)generated byGen(1λ), all identities

id∈ ID, allusk[id]generated by USKGen(sk,id) and all(K,C)output by Enc(pk,id):

(13)

ProcedureInitialize:

(pk,sk)_←$

Gen(1λ)

Returnpk

ProcedureUSKGen(id): QID← QID∪ {id}

Returnusk[id]_←$ _USKGen₍_sk_,_id₎

ProcedureEnc(id∗): //one query

(K∗,C∗)_←$ _Enc₍_pk_,_id∗

)

K∗_{← K}$ _;_C∗_{← C}$ Return(K∗,C∗)

ProcedureFinalize(β): Return(id∗6∈ QID)∧β

Figure 7: Security GamesPR-ID-CPAreal and PR-ID-CPArand for definingPR-ID-CPA-security.

The security requirements for an IBKEM we consider here are indistinguishability and anonymity against chosen plaintext and identity attacks (IND-ID-CPAandANON-ID-CPA). Instead of defining both security notions separately, we define pseudorandom ciphertexts against chosen plaintext and identity attacks (PR-ID-CPA) which means that challenge key and ciphertext are both pseudorandom. Note that PR-ID-CPAtrivially impliesIND-ID-CPAandANON-ID-CPA.

We definePR-ID-CPA-security ofIBKEM formally via the games given in Figure 7.

Definition 4.2 (PR-ID-CPA Security) An identity-based key encapsulation schemeIBKEMisPR-ID-CPA -secure if for all PPTA,Advpr_IBKEM-id-cpa(A) :=|Pr[PR-ID-CPAA_real⇒1]−Pr[PR-ID-CPAA_rand⇒1]|is negligible.

4.2 The Transformation

LetDkbe a matrix distribution that outputs matricesA∈Zq(k+1)×k. LetMACbe an affine MAC overZnq

with message spaceID. Our IBKEMIBKEM[MAC,Dk] = (Gen,USKGen,Enc,Dec)for key-spaceK=GT

and identity spaceID is defined as follows.

Gen(par):

A_{← D}$ k

skMAC= (B,x0, . . . ,x`, x00, . . . , x 0

`0)←$ GenMAC(par)

Fori= 0, . . . , `:Yi←$ Zkq×n;Zi= (Y>i |xi)·A∈Znq×k Fori= 0, . . . , `0:y0i←$ Zkq;z0i= (y0i

>

|x0i)·A∈Z1q×k

pk:= (G,[A]1,([Zi]1)0≤i≤`,([z0i]1)0≤i≤`0)

sk:= (skMAC,(Yi)0≤i≤`,(yi0)0≤i≤`0) Return(pk,sk)

USKGen(sk,id):

([t]2,[u]2)←$ Tag(skMAC,id)

v=P`

i=0fi(id)Yit+P`

0

i=0f 0 i(id)y

0 i∈Z

k q Returnusk[id] := ([t]2,[u]2,[v]2)∈Gn+1+k2

Enc(pk,id):

r_←$ Zkq

c0=Ar∈Zk+1q

c1= (P`_i=0fi(id)Zi)·r∈Znq K= (P`0

i=0f 0 i(id)z

0

i)·r∈Zq.

ReturnK= [K]T andC= ([c0]1,[c1]1)∈Gn+k+11

Dec(usk[id],id,C):

Parseusk[id] = ([t]2,[u]2,[v]2) ParseC= ([c0]1,[c1]1)

K=e([c0]1,

v

u

2

)−e([c1]1,[t]2) ReturnK∈GT

The intuition behind our construction is that the values[Zi]1,[z0i]1frompkcan be viewed as perfectly hiding commitments to the secrets keysskMAC= (x1, . . . ,x`, x01, . . . , x0`0)ofMAC. User secret key

genera-tion computes the MAC tag τ= ([t]2,[u]2)←$ Tag(skMAC)plus a “non-interactive zero-knowledge proof” [v]2proving thatτ was computed correctly with respect to the commitments. As the MAC is affine, the NIZK proof has a very simple structure. The encryption algorithm is derived from a randomized version of the NIZK verification equation. Here we again make use of the affine structure ofMAC.

(14)

Initialize: // GamesG0-G4 G_←$ _GGen₍₁λ

);A_{← D}$ k

skMAC= (B,x0, . . . ,x`, x00, . . . , x 0

`0)←$ GenMAC(G)

Fori= 0, . . . , `:Yi←$ Zkq×n;Zi= (Yi>|xi)·A∈Znq×k Fori= 0, . . . , `0:y0i←$ Zkq;z0i= (y0i

>

|x0i)·A∈Z1q×k

pk:= (G,[A]1,([Zi]1)0≤i≤`,([z0i]1)0≤i≤`0)

sk:= (skMAC,(Yi)0≤i≤`,(y0i)0≤i≤`0) Returnpk

Finalize(β): //GamesG0-G4 Return(id∗6∈ QID)∧β

USKGen(id): //GamesG0-G2,G3-G4 QID=QID∪ {id}

v=P`

i=0fi(id)Yit+ P`0

i=0f 0

i(id)y0i∈Zkq

v>= (t>P

fi(id)Zi+Pfi0(id)z 0

i−u·A)·A −1

usk[id] := ([t]2,[u]2,[v]2)∈Gn2 ×G12×Gk2 Returnusk[id]

Enc(id∗): //GamesG0, G1-G2, G2 G3

r_←$ Zkq;

c∗0=Ar∈Zk+1q

c∗0←$ Zk+1q h_←$

Zq;c∗0←$ Zkq;c ∗

0 :=h+A·A −1_c∗

0∈Zq

c∗1= ( P`

i=0fi(id ∗

)Zi)r∈Znq

c∗1= P`

i=0fi(id∗)(Yi>|xi)c∗0 ∈Znq

c∗1= P`

i=0fi(id ∗

)(Zi·A−1c∗0+xi·h) K∗=P`0

i=0f 0 i(id

∗

)z0i·r∈Zq. K∗=P`0

i=0f 0 i(id

∗

)(y0>i |x 0 i)c

∗ 0∈Zq K∗=P`0

i=0f 0 i(id

∗

)(z0i·A −1_c∗

0+x 0 i·h) ReturnK∗= [K∗]T andC∗= ([c∗0]1,[c∗1]1)

Enc(id∗): //GameG4

K∗_←$

GT andC∗←$ Gn+k+11 ReturnK∗andC∗

Figure 8: GamesG0-G4 for the proof of Theorem 4.3.

output ofUSKGen(sk,id). By Equation (3) in Section 3, we have

e([c0]1,

v u 2 ) = "

(Ar)>·

P`

i=0fi(id)Yit+

P`0

i=0fi0(id)y0i

P`

i=0fi(id)x>i t+

P`0

i=0fi0(id)x0i

!#

T

e([c1]1,[t]2) =

(Ar)>

P

fi(id)Yi

P_f

i(id)x>i

·t

T

and the quotient of the two elements yieldsK= (P`0

i=0f 0

i(id)z0i)·r.

Theorem 4.3 Under the Dk-MDDH assumption relative to GGen in G1 and the PR-CMA-security of MAC, IBKEM[MAC,Dk] is a PR-ID-CPA-secure IBKEM. Particularly, for all adversaries A there exist

adversaries B1 and B2 with T(B1) ≈ T(A) ≈ T(B2) and Advpr_IBKEM-id-cpa_[_MAC_,_D

k](A) ≤ AdvDk,GGen(B1) +

Advpr_MAC-cma(B2).

Proof of Theorem 4.3: We prove Theorem 4.3 by defining a sequence of gamesG0-G4 as in Figure 8. LetAbe an adversary against thePR-ID-CPAsecurity ofIBKEMMAC,Dk.

Lemma 4.4 Pr[PR-ID-CPAA_real⇒1] = Pr[GA₁ ⇒1] = Pr[GA₀ ⇒1].

Proof: G0 is the real attack game. In gameG1, we change the simulation ofc∗1 andK∗ in Enc(id ∗₎_by

substitutingZi andz0_i with their respective definitions:

c∗1=

`

X

i=0

fi(id∗)Zir= `

X

i=0

fi(id∗)(Y>i |xi)Ar= `

X

i=0

fi(id∗)(Y>i |xi)c∗0

and, similarly K∗=P

f_i0(id∗)(y_i0>|x0_i)Ar=P

f_i0(id∗)(y0>_i |x0_i)c∗0. Thus,G1is identical to G0.

Lemma 4.5 There exists an adversary B1 with T(B1)≈T(A) andAdvDk,GGen(B1)≥ |Pr[G

A

2 ⇒1]−

(15)

Proof: The only difference between G2 and G1 is that c∗0 is chosen uniformly at random over Zkq+1.

It is easy to see that the joint distribution of (G,[A]1,[c∗0]1) in G1 is identical to the real Dk-MDDH

distribution and(G,[A]1,[c0∗]1)inG2 is identical to the randomDk-MDDHdistribution.

More formally, we build a distinguisherB1. B1 takes as input (G,[A]1,[b]1)and it has to distinguish if

b=Awfor some random vectorw∈Zqkorbis uniformly random. B1simulatesUSKGenandFinalize

the same way as inG2 andG1. We only describe the simulation ofInitializeandEncin Figure 9. Note that B1 knows the secrets xi, x0i,Yi,y0i explicitly over Zq. Hence, B1 can compute ([Zi]1,([zi0]1)0≤i≤`)

from pkand([c∗

1]1,[K∗]T)from from the encryption query from[A]1and [b]1. If b=Aw forw←$ Zkq,

Initialize:

skMAC= (B,x0, . . . ,x`, x00, . . . , x0`0)←$ GenMAC(G)

Fori= 0, . . . , `: Yi←$ Zkq×n;Zi= (Y>i |xi)·A Fori= 0, . . . , `0: y0i←$ Zkq;z

0 i= (y

0> i |x

0 i)·A

pk:= (G,[A]1,([Zi]1)0≤i≤`,([z0i]1)0≤i≤`0)

sk:= (skMAC,(Yi)0≤i≤`,(y0i)0≤i≤`0) Returnpk

Enc(id∗): c∗0:=b∈Zk+1q

c∗1= P`

i=0fi(id∗)(Y>i |xi)c∗0∈Znq K∗=P`0

i=0f 0 i(id

∗

)(y0>i |x 0 i)c

∗ 0∈Zq ReturnK∗= [K∗]T andC∗= ([c∗0]1,[c∗1]1)

Figure 9: Description ofB1(G,[A]1,[b]1)for the proof of Lemma 4.5.

then the simulation is distributed as inG1. Ifbis uniformly random, then the simulation is distributed as inG2.

Following the intuition of the construction, in Game G3, we simulate the values v computed in the

USKGen algorithm using a “perfect zero-knowledge” simulator, and Enc is simulated without using (Yi)0≤i≤`and (yi0)0≤i≤`0, which is ready to conclude the proof by using thePR-CMAsecurity ofMAC.

Lemma 4.6 Pr[GA3 ⇒1] = Pr[GA2 ⇒1].

Proof: G3 does not use(Yi)0≤i≤` and(yi0)0≤i≤`0 any more. We now show that the changes are purely

conceptual. By Zi = (Y>_i | xi)A, we have Y>_i = (Zi−xi·A)·(A)−1_{, and similarly we have} _y0>

i = (z0_i−x0_i·A)·(A)−1. ForUSKGen(id), by substitutingY>_i andy_i0>, we obtain

v>=t>Xfi(id)(Zi−xi·A) +Xf_i0(id)(z0_i−x_i0·A)(A)−1

=



 t

>X

fi(id)Zi+

X

f_i0(id)z0_i−(t>Xfi(id)xi+

X

f_i0(id)x0_i)

| {z }

u

·A



 (A)

−1_.

Note that we can compute[v]2 inG2, sinceA,z0i andZi are known explicitly overZq and[t]2 and[u]2 are known.

As for the distribution of _Enc(id∗), it is easy to see that c∗₀ is uniformly random, as in G2. By h =

c∗₀−A·A−1c∗₀, we have

c∗₁ = Xfi(id∗i)(Zi·A−1c∗0+xi·(c∗0−A·A −1_c∗

0))

= Xfi(id∗i)(Yi>A+xiA)·A−

1

c∗0+xi·(c∗0−A·A− 1

c∗0))

= Xfi(id∗_i)(Y_i>|xi)c∗₀

(16)

Initialize:

A_{← D}$ k ε_←$

InitializeMAC

Fori= 0, . . . , `: Zi←$ Znq×k Fori= 0, . . . , `0: z0i←$ Z

1×k q

pk:= (G,[A]1,([Zi]1)0≤i≤`,([z0i]1)0≤i≤`0) Returnpk

USKGen(id): QID=QID∪ {id}

([t]2,[u]2)←$ Eval(id)

v>= (t>P

fi(id)Zi+Pfi0(id)z 0

i−u·A)·(A) −1

usk[id] := ([t]2,[u]2,[v]2)∈Gn2 ×G12×Gk2 Returnusk[id]

Enc(id∗): //one query

([h]1,[h0]1,[h1]T)←$ Chal(id∗)

c∗0←$ Zkq

c∗0=h+A·A−1c∗0∈Zq

c∗1= P`

i=0fi(id∗)Zi·A−1c∗0+h0 K∗=P`

i=0fi(id ∗

)z0i·A −1_c∗

0+h1 ReturnK∗= [K∗]T andC∗= ([c∗0]1,[c∗1]1)

Finalize(β0):

Return(id∗6∈ QID)∧_FinalizeMAC(β0)

Figure 10: Description of B2 (having access to the oracles InitializeMAC,Eval,Chal,FinalizeMAC of the

PR-CMAreal/PR-CMArandgames of Figure 1) for the proof of Lemma 4.7.

Lemma 4.7 There exists an adversary B2 with T(B2) ≈ T(A) and Adv_MACpr-cma(B2) ≥ |Pr[GA4 ⇒ 1]−

Pr[GA3 ⇒1]|.

Proof:InG4, we answer theEnc(id∗)query by choosing randomK∗ andC∗. We construct an adversary B2in Figure 10 to show the differences betweenG4andG3can be bounded by the advantage of breaking PR-CMAsecurity ofMAC. Intuitively, the reduction toPR-CMAsecurity of the symmetric primitiveMAC can be carried out as in both G3 and G4, skMAC (i.e., xi and x0i) is perfectly hidden until B2’s call to Enc(id∗).

If(h0, h1)is uniform (i.e.,B2is in GamePR-CMArand) then the view ofAis the same as inG4. If(h0, h1) is real (i.e.,B2 is in GamePR-CMAreal) then the view ofAis the same as inG3.

The proof of Theorem 4.3 follows by Lemmas 4.4-4.7 and observing thatG4=PR-ID-CPArand.

5 Hierarchical Identity-based Encryption from Delegatable Affine

MACs

In this section, we will define syntax and security requirements of delegatable affine MACs and describe our transformation HIBE[MAC,Dk] from delegatable affine MACs to HIBE based on any Dk-MDDH

assumption.

5.1 Delegatable Affine MACs

Definition 5.1 An affineMACover_Zn

q (Definition 3.1) isdelegatable, if the message space isM=B≤m

for some finite base setB, `0 = 0with f₀0(m) = 1, and there exists a public functionl:M → {0, . . . , `} such that for allm0 ∈ Mwith m0 = (m1, . . . ,mp+1)∈ Bp+1 and length pprefix m= (m1, . . . ,mp)of m,

we have l(m)≤l(m0)and

fi(m0) =

(

fi(m) 0≤i≤l(m)

0 l(m0)< i≤`.

Note that for a delegatable MAC, equation (3) simplifies to

u=





l(m)

X

i=0

fi(m)x>i + l(m0₎

X

i=l(m)+1

fi(m0)x>i



(17)

Initialize:

skMAC= (B,(xi)0≤i≤`, x00)←$ GenMAC(par)

Return([B]2,([x>iB]2)0≤i≤`)

Eval(m): QM=QM∪ {m}

([t]2,[u]2)←$ Tag(skMAC,m)

Fori=l(m) + 1, . . . , `: di=x>it∈Zq Return([t]2,[u]2,([di]2)l(m)+1≤i≤`)

Chal(m∗): // one query

h_←$ Zq

h0=Pfi(mi∗)xi·h∈Znq h1=x00·h∈Zq

h1←$ Zq

Return([h]1,[h0]1,[h1]T)

Finalize(β∈ {0,1}):

Returnβ∧(Prefix(m∗)∩ QM=∅)

Figure 11: GamesHPR-CMAreal, and HPR0-CMArand for definingHPR0-CMAsecurity.

Intuitively, this property will be used for HIBE user secret key delegation.

Security requirements. Let MAC be a delegatable affine MAC over Znq with message space M =

B≤m_:=Sm

i=1B

i_{. To build a HIBE, we require a new notion denoted as}_HPR

0-CMAsecurity. It differs

from PR-CMAsecurity in two ways. Firstly, additional values needed for HIBE delegation are provided to the adversary through the call to _Initialize and _Eval. Secondly, _Chal always returns a real h0 which is the reason why our HIBE is not anonymous. (In fact, the additional values actually allow the adversary to distinguish real from randomh0.)

LetG= (G1,G2,GT, q, g1, g2, e)be an asymmetric pairing group such that(G2, g2, q)is contained in par. Consider the games from Figure 11.

Definition 5.2 A delegatable affineMACover_Zn

q isHPR0-CMA-secure if for all PPTA,Adv hpr₀-cma MAC (A) := Pr[HPR-CMAA_real⇒1]−Pr[HPR0-CMAArand⇒1]is negligible.

5.2 An Example of Delegatable Affine MACs

We note thatMACHPS[Dk]from Section 3 with message space M=B≤m= (Z∗q)≤m is delegatable. One

should remark the change on B, where we now define B = _Z∗_q to avoid having a collision between the MAC of mand the MAC ofmk0.

Theorem 5.3 Under theDk-MDDH assumption, MACHPS[Dk] is HPR0-CMA-secure. In particular, for

all adversariesAthere exists an adversaryDwithT(A)≈T(D)andAdvhpr0-cma

MACHPS[Dk](A)≤4QAdvDk,GGen(D)+

2Q/q, whereQ is the maximal number of queries toEval(·).

The proof is postponed to Appendix A.1

5.3 Hierarchical Identity-Based Key Encapsulation

We recall syntax and security of a hierarchical identity-based key encapsulation mechanism (HIBKEM).

Definition 5.4 (Hierarchical Identity-Based Key Encapsulation Mechanism) A hierarchical identity-based key encapsulation mechanism (HIBE) HIBKEM consists of three PPT algorithms HIBKEM = (Gen,USKDel, ,USKGen,Enc,Dec)with the following properties.

• The probabilistic key generation algorithmGen(1λ₎_{returns the (master) public/secret key and}

del-egation key (pk,sk,dk). Note that for some of our constructions dk is empty. We assume that pk implicitly defines a hierarchical identity space ID=B≤m_{, for some base identity set} _{B, and a key}

spaceK, and ciphertext spaceC.

• The probabilistic user secret key generation algorithm USKGen(sk,id) returns a secret key usk[id]

(18)

Initialize:

(pk,sk,dk)_←$

Gen(1λ)

Return(pk,dk)

USKGen(id): QID← QID∪ {id}

Return(usk[id],udk[id])_←$ _USKGen₍_sk_,_id₎

Enc(id∗): //one query

(K∗,C∗)_←$ _Enc₍_pk_,_id∗

)

K∗_{← K}$

(K∗,C∗)_{← K × C}$ Return(K∗,C∗)

Return(Prefix(id∗)∩ QID=∅)∧β

Figure 12: Games PR-HID-CPAreal, IND-HID-CPArand, and PR-HID-CPArand for defining IND-HID-CPA and

PR-HID-CPA-security. For any identityid∈ Bp_,_Prefix₍_id₎_{denotes the set of all prefixes of}_id_(where_|_Prefix₍_id₎_|₌ O(|B|p

)).

• The probabilistic key delegation algorithm USKDel(dk,usk[id],udk[id],id ∈ Bp_,_id

p+1 ∈ B) returns a user secret key usk[id|idp+1] for the hierarchical identity id0 = id | idp+1 ∈ Bp+1 and the user delegation keyudk[id0]. We require 1≤ |id| ≤m−1.

• The probabilistic encapsulation algorithm Enc(pk,id)returns a symmetric key K∈ K together with a ciphertextCwith respect to the hierarchical identityid∈ ID.

• The deterministic decapsulation algorithm Dec(usk[id],id,C) returns a decapsulated key K ∈ K or the reject symbol⊥.

For correctness we require that for all λ ∈ _N, all pairs (pk,sk) generated by Gen(1λ₎_{, all} _id _{∈ ID, all}

usk[id] generated by USKGen(sk,id) and all(K, c)generated by Enc(pk,id):

Pr[Dec(usk[id],id,C) =K] = 1.

Moreover, we also require the distribution of usk[id|idp+1] from USKDel(usk[id],udk[id],id,idp+1)is iden-tical to the one from USKGen(sk,id|idp+1).

In ourHIBKEMdefinition we make the delegation keydkand the user delegation keyudk[id]explicit to make our constructions more readable. We define indistinguishability (IND-HID-CPA) and pseudorandom ciphertexts (PR-HID-CPA) against adaptively chosen identity and plaintext attacks for a HIBKEM via gamesPR-HID-CPAreal,IND-HID-CPArandand PR-HID-CPArandfrom Figure 12.

Definition 5.5 (IND-HID-CPA and PR-HID-CPA Security) A hierarchical identity-based key encapsu-lation schemeHIBKEMisIND-HID-CPA-secure if for all PPTA,Adv_HIBKEMind-hid-cpa(A) :=|Pr[PR-HID-CPAA_real⇒

1]−Pr[IND-HID-CPAA_rand] is negligible. It is PR-HID-CPA-secure if for all PPT A, Advpr_HIBKEM-hid-cpa(A) :=

|Pr[PR-HID-CPAA_real⇒1]−Pr[PR-HID-CPAA_rand]is negligible.

Note that PR-HID-CPAtrivially impliesIND-HID-CPAand anonymity ofHIBKEM.

5.4 The Transformation

Let Dk be a matrix distribution that outputs matricesA∈Z(qk+1)×k. Let MACbe a delegatable affine

MAC over Znq with message space M = B≤m. Our HIBKEM[MAC,Dk] = (Gen,USKGen,USKDel,Enc,

Dec) for key-space K = GT and hierarchical identity space ID =M =B≤m is defined as in Fig. 13.

Compared to the IBE construction from Sect. 4, the main difference is thatGenalso returns a delegation keydkwhich allows re-randomization of everyusk[id]. Further,USKGenalso outputs user delegation keys udk[id] allowingUSKDelto delegate.

To show correctness ofHIBKEM[MAC,Dk], first note that(ˆu,vˆ)computed inUSKDelis a correct user

secret key for id0,uˆ =Pl(id0)

i=0 fi(id 0₎_x>

i t+x00 andvˆ =

Pl(id0)

i=0 fi(id

0₎_Yit₊_y0

0. In the next step they get rerandmozied as u0 =Pl(id0)

i=0 fi(id 0₎_x>

i (t+Bs0)and v0 =

Pl(id0)

i=0 fi(id

0₎_Yi₍_t₊_Bs0_{) +}_y0

(19)

Gen(par):

A_{← D}$ k

skMAC= (B,x0, . . . ,x`, x00)←$ GenMAC(par)

Fori= 0, . . . , `:

Yi←$ Zkq×n;Zi= (Yi>|xi)·A∈Znq×k

di=x>i ·B∈Zn 0

q ;Ei=Yi·B∈Zk×n 0

q

y00←$ Zkq;z 0 0= (y

0 0 >

|x00)·A∈Z1 ×k q

pk:= (G,[A]1,([Zi]1)0≤i≤`,[z00]1)

dk:= ([B]2,([di]2,[Ei]2)0≤i≤`)

sk:= (skMAC,(Yi)0≤i≤`,y00) Return(pk,dk,sk)

USKGen(sk,id∈ ID):

//t∈Znq;u= P

fi(id)x>i t+x 0 0 ∈Zq

v=Pl(id)

i=0fi(id)Yit+y00∈Zkq Fori=l(id) + 1, . . . , `:

di=x>it∈Zq

ei=Yit∈Zkq

usk[id] := ([t]2,[u]2,[v]2)∈Gn2 ×G12×Gk2

udk[id] := ([di]2,[ei]2)l(id)<i≤`∈(G1+k2 ) `−l(id) Return(usk[id],udk[id])

Enc(pk,id):

r_←$ Zkq

c0=Ar∈Zk+1q

c1= (Pl(_i=0id)fi(id)Zi)·r∈Znq K=z00·r∈Zq.

ReturnK= [K]T andC= ([c0]1,[c1]1)

USKDel(dk,usk[id],udk[id],id∈ Bp

,idp+1∈ B): Ifp≥m, then return⊥

id0:= (id1, . . . ,idp,idp+1)∈ Bp+1 //Delegation ofuandv:

ˆ

u=u+Pl(id0)

i=l(id)+1fi(id 0

)di∈Zq

ˆ

v=v+Pl(id0)

i=l(id)+1fi(id0)ei∈Zkq //Rerandomization ofuˆandvˆ:

s0_←$ Zn

0

q

t0=t+Bs0∈Znq u0= ˆu+Pl(id0)

i=0 fi(id0)dis0∈Zq

v0= ˆv+Pl(id0)

i=0 fi(id0)Eis0∈Zkq //Rerandomization ofd0iandei: Fori=l(id0) + 1, . . . , `:

d0i=di+dis0∈Zq

e0i=ei+Eis0∈Zkq

usk[id0] := ([t0]2,[u]2,[v0]2)∈Gn2×G12×Gk2

udk[id0] := ([d0i]2,[e0i]2)l(id0_)<i≤`∈(G1+k2 ) `−l(id0) Return(usk[id0],udk[id0])

Dec(usk[id],id,C):

K=e([c0]1,

v

u

2

Figure 13: Definition of the transformationHIBKEM[MAC,Dk].

usk[id0]from USKDel has the same distribution as the one output byUSKGen. By applying the similar correctness argument fromHIBKEM[MAC,Dk], we can show that a correctly generated ciphertext can be

correctly decapsulated by using a correct user secret key.

The next theorem shows IND-HID-CPA-security of our construction. Its proof is postponed to Ap-pendix B.1. We remark thatHIBKEM[MAC,Dk]can never be anonymous as one can always check whether c0·Pfi(id)(E>i kdi) =c1·Busing the pairing.

Theorem 5.6 IfMACisHPR0-CMA-secure and theDk-MDDHassumption holds inG1thenHIBKEM[MAC, Dk]isIND-HID-CPAsecure. For all adversariesAthere exist adversariesB1andB2withT(B1)≈T(A)≈ T(B2)andAdvind_HIBKEM-hid-cpa_[_MAC_,_D

k](A)≤AdvDk,GGen(B1) +Adv

hpr₀-cma MAC (B2).

5.5 Anonymity-preserving Transformation

In this section, we give an alternative (but less efficient) transformation, which is anonymity-preserving. Our transformation is based on the notion ofAPR-CMA-security (anonymity-preserving pseudorandom-ness against chosen-message attacks) for a delegatable affine MAC MAC over Znq with message space

M=B≤m_:=Sm

i=1B

i_{. It differs from}_{HPR-CMA-security (Section 5.1) in the sense that}

(20)

Initialize:

skMAC= (B,(xi)0≤i≤`,x00)←$ GenMAC(par)

Returnε

Eval(m): QM=QM∪ {m}

([t]2,[u]2)←$ Tag(skMAC,m)

S_←$ Zn

0_×_µ

q ;T=B·S∈Znq×µ

u=Pl(m) i=0fi(m)x

>

iT∈Z1q×µ Fori= (m) + 1, . . . , `:

di=x>it∈Zq;Di=x>iT∈Z1q×µ

Return([t]2,[u]2,[T]2,[u]2,([di]2,[Di]2)(m)+1≤i≤`)

Chal(m∗): // one query

h_←$ Zq

h0=Pfi(m∗i)xi·h∈Znq;h1 =x00·h∈Zq

(h0, h1)←$ Znq ×Zq Return([h]1,[h0]1,[h1]T)

Returnβ∧(Prefix(m∗)∩ QM=∅)

Figure 14: GamesAPR-CMAreal and APR-CMArand for definingAPR-CMAsecurity.

Definition 5.7 An affineMACover_Zn

q isAPR-CMA-secure if for PPTA,Adv apr-cma

MAC (A) := Pr[APR-CMA

A

real⇒ 1]−Pr[APR-CMAA_rand⇒1]is negligible.

Unfortunately, MACNR[Dk] is unlikely to be APR-CMA-secure, since in the security proof the value u is not pseudorandom and, thus, we can not make h0 random. The following theorem states that MACHPS[Dk] from Section 3 with message spaceM=B≤m= (Z∗q)≤mis anonymous and delegatable.

Theorem 5.8 Under theDk-MDDHassumption,MACHPS[Dk]isAPR-CMA-secure. In particular, for all

adversariesAthere exists an adversaryDwithT(A)≈T(D)andAdvapr_MAC-cma

HPS[Dk](A)≤4QAdvDk,GGen(D)+

2Q/q, whereQ is the maximal number of queries to_Eval(·).

The proof is postponed to Section A.2.

The Anonymity-Preserving Transformation. LetDkbe a matrix distribution that outputs

matri-ces A∈Z(qk+1)×k. LetMAC be an delegatable affine MAC overZnq with message spaceM=B≤m. Our

AHIBKEM[MAC,Dk] = (Gen,USKGen,USKDel,Enc,Dec)for key-spaceK=GT and hierarchical identity

space ID=M=B≤m _{is defined as in Fig. 15. Compared to the HIBE construction from Section 5.4,}

the new construction uses a different usk rerandomization method: USKGenoutputs a random basis T

for vector twhich allows rerandomization of t; similarly, uand V are bases for randomizing uand v. Further, Genwill never return[x>_i B]2and[YiB]2, which is the key to preserve anonymity.

Correctness of AHIBKEM[MAC,Dk] follows by the same argument as HIBKEM[MAC,Dk]. The

fol-lowing theorem shows PR-HID-CPA security of our construction. Its proof is the same as the one of Theorem 5.6 except that we make the ciphertext to be random based on theAPR-CMAsecurity. Details are postponed to Appendix B.2.

Theorem 5.9 IfMACisAPR-CMA-secure and theDk-MDDHassumption holds inG1thenAHIBKEM[MAC,Dk]

is PR-HID-CPA secure. In particular, for all adversaries A there exist adversaries B1 and B2 with

T(B1)≈T(A)≈T(B2)andAdvpr_AHIBKEM-hid-cpa_[_MAC_,_D

k](A)≤AdvDk,GGen(B1) +Adv

(21)

Gen(par):

A_{← D}$ k

skMAC= (B,x0, . . . ,x`, x00)←$ GenMAC(par)

Fori= 0, . . . , `:

Yi←$ Zkq×n;Zi= (Yi>|xi)·A∈Znq×k

y00←$ Zkq;z 0 0= (y

0 0 >

|x00)·A∈Z1q×k

pk:= (G,[A]1,([Zi]1)0≤i≤`,[z00]1)

sk:= (skMAC,(Yi)0≤i≤`,y00) Return(pk,sk)

USKGen(sk,id∈ ID):

//t∈Znq;u=Pfi(id)x>i t+x 0 0∈Zq

v=Pl(id)

i=0fi(id)Yit+y 0 0∈Zkq

S_←$ Zn

0_×_µ

q ;T=B·S∈Znq×µ

u=Pl(id) i=0fi(id)x

>

iT∈Z1q×µ

V=Pl(id)

i=0fi(id)YiT∈Z k×µ q Fori=l(id) + 1, . . . , `:

di=x>it∈Zq;Di=x>iT∈Z1 ×µ q

ei=Yit∈Zkq;Ei=YiT∈Zkq×µ

usk[id] := ([t]2,[u]2,[v]2)∈Gn2 ×G12×Gk2

udk[id] := ([T]2,[u]2,[V]2,([di]2,[Di]2,[ei]2,[Ei]2)l(id)<i≤`) ∈Gn2×µ×G

1×µ 2 ×G

k×µ

2 ×(G2×G12×µ×G k 2×G

k×µ 2 )

`−l(id) Return(usk[id],udk[id])

Enc(pk,id):

r_←$ Zkq

c0=Ar∈Zk+1q

c1= (Pl(_i=0id)fi(id)Zi)·r∈Znq K=z00·r∈Zq.

ReturnK= [K]T andC= ([c0]1,[c1]1)

USKDel(dk,usk[id],udk[id],id∈ Bp_,_id

p+1∈ B): Ifp≥m, then return⊥

id0:= (id1, . . . ,idp,idp+1)∈ Bp+1 //Delegation of(u,v)and(u,V):

ˆ

u=u+Pl(id0)

i=l(id)+1fi(id 0

)di∈Zq

ˆ

v=v+Pl(id0)

i=l(id)+1fi(id 0

)ei∈Zkq

ˆ

u=u+Pl(id0)

i=l(id)+1fi(id 0

)Di∈Z1q×µ

ˆ

V=V+Pl(id0)

i=l(id)+1fi(id 0

)Ei∈Zkq×µ

//Rerandomization of(ˆu,vˆ)and(ˆu,Vˆ):

s0_←$

Zµq;S←$ Zµq×µ

t0=t+Ts0∈Znq;T0= ˆT·S0∈Znq×µ u0= û+ û·s0∈Zq;u0= û·S0∈Z1q×µ

v0= ˆv+ ˆV·s0∈Zkq;V0= ˆV·S0∈Zkq×µ //Rerandomization ofd0iandei:

Fori=l(id0) + 1, . . . , `:

d0i=di+Dis0∈Zq;D0i=Di·S0∈Z1q×µ

e0i=ei+Eis0∈Zkq;E 0

i=Ei·S0∈Zkq×µ

usk[id0] := ([t0]2,[u0]2,[v0]2)

udk[id0] := ([T0]2,[u0]2,[V0]2,([d0i]2,[Di0]2,[e0i]2,

[E0i]2)l(id0_)<i≤`)

Return(usk[id0],udk[id0])

Dec(usk[id],id,C):

K=e([c0]1,

v

u

2

Figure 15: Definition of the transformationAHIBKEM[MAC,Dk]. µdenotes the rank ofB.

Acknowledgements

We thank Hoeteck Wee and Jie Chen for comments and helpful discussions. All authors were (partially) funded by a Sofja Kovalevskaja Award of the Alexander von Humboldt Foundation. Eike Kiltz was partially funded by ERC Project ERCC (FP7/615074). Jiaxin Pan was partially funded by the German Israeli Foundation.

References

[1] J. Alwen, Y. Dodis, M. Naor, G. Segev, S. Walfish, and D. Wichs. Public-key encryption in the bounded-retrieval model. In H. Gilbert, editor,EUROCRYPT 2010, volume 6110 of LNCS, pages 113–134. Springer, Heidelberg, May 2010. (Cited on page 30.)

[2] M. Bellare and S. Goldwasser. New paradigms for digital signatures and message authentication based on non-interative zero knowledge proofs. In G. Brassard, editor,CRYPTO’89, volume 435 of LNCS, pages 194–211. Springer, Heidelberg, Aug. 1990. (Cited on page 1, 3.)