Compact CCA2-secure Hierarchical Identity-Based Broadcast Encryption for Fuzzy-entity Data Sharing

Transcription

1 Compact CCA2-secure Herarchcal Identty-Based Broadcast Encrypton for Fuzzy-entty Data Sharng Weran Lu 1, Janwe Lu 1, Qanhong Wu 1, Bo Qn 2, Davd Naccache 3, and Houda Ferrad 4 1 School of Electronc and Informaton Engneerng, Behang Unversty, XueYuan oad No.37, Hadan Dstrct, Bejng, Chna luweran900217@gmal.com, lujanwe@buaa.edu.cn, qanhong.wu@buaa.edu.cn 2 School of Informaton, enmn Unversty of Chna, ZhongGuanCun Street No. 59, Hadan Dstrct, Bejng, Chna bo.qn@ruc.edu.cn 3 Département d Informatque 45 rue dúlm, École normale supéreure, Pars cedex 05, f-75230, France davd.naccache@ens.fr, Houda.Ferrad@ens.fr Abstract. Wth the advances of cloud computng, data sharng becomes easer for large-scale enterprses. When deployng prvacy and securty schemes n data sharng systems, fuzzy-entty data sharng, entty management, and effcency must take nto account, especally when the system s asked to share data wth a large number of users n a tree-lke structure. Herarchcal Identty-Based Encrypton s a promsng canddate to ensure fuzzy-entty data sharng functonaltes whle meetng the securty requrement, but encounters effcency dffculty n multuser settngs. Ths paper proposes a new prmtve called Herarchcal Identty-Based Broadcast Encrypton HIBBE to support mult-user data sharng mechansm. Smlar to HIBE, HIBBE organzes users n a tree-lke structure and users can delegate ther decrypton capablty to ther subordnates. Unlke HIBE merely allowng a sngle decrypton path, HIBBE enables encrypton to any subset of the users and only the ntended users and ther supervsors can decrypt. We defne Cphertext Indstngushablty aganst Adaptvely Chosen-Identty-Vector-Set and Chosen-Cphertext Attack IND-CIVS-CCA2 for HIBBE, whch capture the most powerful attacks n the real world. We acheve ths goal n the standard model n two steps. We frst construct an effcent HIBBE Scheme HIBBES aganst Adaptvely Chosen-Identty-Vector-Set and Chosen-Plantext Attack IND-CIVS-CPA n whch the attacker s not allowed to query the decrypton oracle. Then we convert t nto an IND-CIVS-CCA2 scheme at only a margnal cost,.e., merely addng one on-the-fly dummy user at the frst depth of herarchy n the basc scheme wthout requrng any other cryptographc prmtves. Our CCA2-secure scheme natvely allows publc cphertext valdty test, whch s a useful property when a CCA2-secure HIBBES s used to desgn advanced protocols and audtng mechansms for HIBBE-based data sharng. Keywords: Herarchcal Identty-Based Broadcast Encrypton; Adaptve Securty; Chosen-cphertext Securty; Fuzzy-entty Data Sharng 1 Introducton The rapd development of Cloud Computng have brought great convenence for on-demand data sharng. Nowadays, large-scale enterprses choose to acqure cloud storage servces from a cloud servce provder, or establshng ts own cloud data center for cost-effectve data sharng. In ths paradgm, ndvdual staff n such an enterprse can easly acqure useful data, whle sharng data to ts superors, colleagues, and subordnates n an on-demand manner. Ths sgnfcantly mproves the communcaton effcency, lower the data sharng expenses, thus brngs benefts to the enterprses. Due to ts openness, data sharng system s always deployed n a hostle envronment and vulnerable to a number of securty threats [25]. Among all, data prvacy, legal access, and data authentcty are the man securty concerns n data sharng systems [12]. The above securty ssue can be respectvely addressed wth the help of tradtonal cryptographc tools, e.g., encrypton, message authentcaton code MAC, dgtal sgnatures. However, leveragng these cryptographc tools nto large-scale data sharng systems may brng addtonal dffcultes when takng nto account other ssues, such as fuzzyentty data sharng, effectve entty management, and effcency.

2 Tradtonal cryptographc tools allow data encrypton and data authentcaton after explctly knowng the recevers publc yet random nformaton,.e., publc keys. When the personnel structure of the company changes, whch rapdly happens n a large-scale enterprse, fuzzy-entty data sharng s needed so that stuffs can share data wthout knowng the recevers publc keys, but the recognzable denttes. Identty-Based Encrypton IBE, ntroduced by Shamr [37], allows one to securely communcate wth others f he/she knows ther publc denttes. In IBE, users recognzable denttes such as ther socal securty numbers, IPs or emal addresses, are used as ther publc keys. A Prvate Key Generator PKG s used to generate secret keys assocated wth the users publc denttes. One can encrypt to any user by specfyng ts recognzable dentty and only the ntended user can decrypt. Whle IBE supports fuzzy-entty data sharng n the enterprse, t faces the dffculty of neffcent entty management. In IBE systems, every entty should ask PKG for obtanng a secret key assocated wth ts own denttes. However, the number of users n a data sharng system could be huge [25]. Wth the number of users n the system ncrease, PKG may be busy wth generatng secret keys for replyng secret key obtanng requests from the users. A method of sharng PKG s burden s requred. Herarchcal IBE HIBE extends IBE to endow a large number of users wth a delegaton mechansm. HIBE [20] organzes users n a tree-lke structure whch s consstent wth the structure of large-scale enterprses and organzatons [16, 42]. PKG s burden s shared by upper-level users who can delegate secret keys to ther subordnates. In the encrypton process, the sender assocates the cphertext wth an dentty vector nstead of a sngle dentty. Then only the users whose denttes appear n the specfed dentty vector can decrypt. When applyng HIBE n an enterprse or an organzaton for data sharng, one should also consder effcency aspects, that s, the computaton and communcaton costs n dfferent data sharng stuatons. In such applcaton scenaro, ndvdual stuff may have to smultaneously communcate and share data wth multple users n herarchcal organzatons. For example, the enterprse may cooperate wth a number of professors from dfferent laboratores n a unversty to develop a new software system. The enterprse can separately encrypt to these professors by specfyng ther respectve decrypton paths. However, ths trval soluton ncurs heavy encrypton burden and long cphertexts. Another example comes from the cloud-based electronc health record system, where medcal stuff should share patents electronc health record wth chef/assstant doctors n dstnct departments [33]. Applyng exstng HIBE schemes n such systems s a reasonable soluton. However, HIBE gradually becomes neffcent when the number of nvolved departments ncreases. We are nterested n more practcal solutons to such applcatons. 1.1 Our Contrbutons We propose a new cryptographc prmtve called Herarchcal Identty-Based Broadcast Encrypton HIBBE. Users n a tree-lke structure can delegate ther decrypton capabltes to ther subordnates, so that the burden of the PKG can be shared when the system hosts a large number of users. One can encrypt to any subset of the users and only the ntended ones and ther supervsors can decrypt. We defne the securty noton for HIBBE, named Cphertext Indstngushablty aganst Adaptvely Chosen-Identty-Vector-Set and Chosen-Cphertext attack IND-CIVS-CCA2. In ths noton, the attacker s smultaneously allowed to adaptvely query for the secret keys of users recognzed by dentty vectors of ts choce and to ssue decrypton queres for recever dentty vector sets at wsh. Even such an attacker cannot dstngush the encrypted messages, provded that the attacker does not query for the secret keys of the target users or ther supervsors. Clearly, ths defnton captures the most powerful attacks on HIBBE n the real world. We obtan an IND-CIVS-CCA2 scheme n the standard model wthout usng random oracles n two steps. We frst construct an HIBBE Scheme HIBBES aganst Adaptvely Chosen-Identty-Vector- Set and Chosen-Plantext Attack IND-CIVS-CPA n the standard model, n whch the attacker s not allowed to ssue decrypton queres. Then, at merely margnal cost, we convert the basc scheme nto an IND-CIVS-CCA2 scheme by addng only one on-the-fly dummy user, rather than addng one herarchy of users n exstng conversons from a CPA-secure herarchcal encrypton scheme to a CCA2- secure one. Both schemes have constant sze cphertext and are effcent n terms of communcatons and data sharng n mult-recever stuatons. Ths novel cryptographc scheme sutably meets the securty and effcency requrement of large-scale enterprses, ncludng fuzzy-entty data sharng, entty management, and effcency. 2

3 Compared wth the prelmnary verson [31] of the paper, n ths extended work we gve the formal securty proof of the CPA securty of the basc scheme; we further convert the CPA-secure HIBBES nto a CCA2-secure HIBBES wth compact desgn n the sense that the converson does not requre any other cryptographc prmtves; we formally prove that the resultng scheme s CCA2-secure n the standard model. Our CCA2-secure HIBBES allows publc cphertext valdty test whch s useful for a thrd party, e.g., a frewall, to flter nvald spams and for system desgners to desgn advanced protocols from HIBBE, e.g., publcly verfable HIBBE allowng audtng for cloud data center [13, 38], and data authentcaton of HIBBE-encrypted dgtal contents [26]. 1.2 elated Work Identty-Based Encrypton. Snce the concept of Identty-Based Encrypton IBE was ntroduced by Shamr [37], t took a long tme for researchers to construct a practcal and fully functonal IBE Scheme IBES. In 2001, Boneh and Frankln [3, 4] precsely defned the securty model of IBE and proposed the frst practcal IBES by usng blnear parngs. In the Boneh-Frankln securty model, the adversary can adaptvely request secret keys for the denttes of ts choce and can choose the challenge dentty t wants to attack at any pont durng the key-requestng process, provded that the secret key for the challengng dentty s not quered. The securty of ther IBES [3, 4] requres cryptographc hash functons to be modeled as random oracles. Canett et al. [10, 11] formalzed a slghtly weaker securty noton, called selectve-id securty, n whch the adversary must dsclose the challenge dentty before the publc parameters are generated. They exhbted a selectve-id secure IBES wthout usng random oracles. Snce then, more practcal IBES have been proposed that are shown to be secure wthout random oracles n the selectve-id securty model [1] or n the standard securty model [39]. These schemes are secure aganst CPA. Interestngly, some recent works [8, 9, 11] showed CPA-secure IBES can be used to construct regular Publc-Key Encrypton systems wth CCA2 securty. Canett, Halev and Katz [11] exhbted a generc converson by addng a one-tme sgnature scheme and hash the sgnature parameters as a specal dentty n encrypton. Boneh and Katz [8] later presented a more effcent constructon usng a MAC to replace the one-tme sgnature. More recently, Boyen et al. [9] ntroduced a new technque that can drectly obtan CCA2 securty from some partcular IBES wthout extra cryptographc prmtves. Park et al. [34] proposed a concrete CCA2-secure IBES wth a tght securty reducton n the random oracle model. Broadcast Encrypton. In Broadcast Encrypton BE [18], a dealer s employed to generate and dstrbute decrypton keys for users. A sender can encrypt to a subset of the users and only the prvleged users can decrypt. Ths functonalty models flexble secure one-to-many communcaton scenaros [35]. Snce the BE concept was ntroduced n 1994 [18], many BE Schemes have been proposed to gan more preferable propertes. We menton just a few of those propertes, such as Stateless ecevers after gettng the broadcast secret keys, users do not need to update them [17, 22], Fully Colluson esstant even f all users except the recever set collude, they can obtan no nformaton about the plantext [5], Dynamc the dealer can dynamcally recrut new members whle the other members wll not be affected [15], Anonymty a recever does not need to know who the other recevers are when decryptng cphertexts [30], and Contrbutory Broadcast Anyone can send messages to any subset of the group members wthout a trusted key server [41]. Identty-Based Broadcast Encrypton. Identty-Based Broadcast Encrypton IBBE ncorporates the dea of BE nto IBE and recognzes the users n a BES wth ther denttes, nstead of ndexes assgned by the system. When one needs to send confdental messages to multple users, the sender n IBBE can effcently encrypt the message once to multple users and smply broadcasts the resultng cphertext. Fully functonal IBBE was formalzed and realzed by Delerablée wth constant sze cphertexts and secret keys [14], although t s only selectve-id secure n the random oracle model. The up-to-date IBBE Schemes [21, 36, 27] are shown to be secure n the standard securty model. Herarchcal Identty-Based Encrypton. Horwtz and Lynn [23] frst proposed the concept of HIBE and presented a two-level HIBES n the same artcle. The frst fully functonal HIBE constructon was proposed by Gentry and Slverberg [20]. The securty reles on the Blnear Dffe-Hellman assumpton n the random oracle model. Subsequently, Boneh and Boyen [1] ntroduced HIBES n the selectve-id model wthout usng random oracles. Boneh, Boyen and Goh [2] presented a selectve-id secure HIBE wth constant sze cphertext. Gentry and Halev [19] constructed a fully secure HIBES supportng polynomal herarchy depth. In 2009, Waters [40] proposed a new framework, called Dual System 3

4 Encrypton, for constructng fully secure IBES and HIBES. Ths approach has become a powerful tool for obtanng fully secure encrypton schemes [28, 29]. These plan HIBES are CPA-secure. The technques n the prevously revewed conversons [8, 9, 11] can be extended to acheve CCA2-secure HIBES wth CPA-secure ones by addng one extra herarchy to the underlyng CPA-secure HIBES. Generalzed Identty-Based Encrypton. Boneh and Hamburg [7] proposed a general framework for constructng IBES, named Generalzed Identty-Based Encrypton GIBE, to ncorporate dfferent propertes n IBE va a product rule. They also ntroduced an mportant nstance of GIBE called Spatal Encrypton SE, showng that many GIBES are embedded n t, e.g., HIBE, nclusve IBE, co-nclusve IBE, n an dentty-based lke settngs. HIBBE can also be derved from SE. However, the HIBBE derved from ther SE only has selectve and chosen-plantext securty. Very recently, Zhang et al. [43] suggested two fully secure and anonymous SE schemes, whch not only obtan full securty, but further protect the recpent dentty prvacy. Ther constructons acheve CPA securty and can be extended to CCA2 securty, but also wth the help of one-tme sgnature schemes. 1.3 Paper Organzaton The rest of the paper s organzed as follows. In Secton 2, we revew composte order blnear groups and the assumptons used n our constructons. Secton 3 formalzes HIBBE and ts securty defntons. We propose a secure HIBBES aganst Adaptvely Chosen-Identty-Vector-Set and Chosen-Plantext Attack n Secton 4. We then ntroduce a compact transformaton that converts our CPA-secure HIBBES nto a CCA2-secure one n Secton 5. We conclude the paper n Secton 6. 2 Prelmnares 2.1 Composte Order Blnear Groups Composte order blnear groups were frst ntroduced n [6]. Let G be an algorthm whch takes a securty parameter λ as nput and outputs the descrpton of a blnear group, N, G, G T, e, where N = p 1 p 2 p 3 s a composte nteger wth three dstnct large prme factors p 1, p 2 and p 3, G and G T are cyclc groups of order N, and a blnear map e : G G G T satsfyng the followng propertes: 1. Blnearty: for all g, h G and a, b Z N, eg a, h b = eg, h ab ; 2. Non-degeneracy: there exsts at least an element g G such that eg, g has order N n G T ; 3. Computablty: There exsts an effcent algorthm n polynomal tme wth respect to λ computng the blnear parng eu, v for all u, v G. In addton to these propertes, the three subgroups of order p 1, p 2 and p 3 n G we respectvely denote them by G p1, G p2 and G p3 satsfy the orthogonalty property: For all h G p and h j G pj, eh, h j = 1 for j Ths specal property wll be an essental tool n our constructons and the securty proofs. 2.2 Assumptons n Composte Order Blnear Groups We wll use three statc assumptons to prove the securty of our HIBBES. These three assumptons, whch were frst ntroduced by Lewko and Waters [28], hold f t s hard to fnd a nontrval factor of N. Let G be a group generatng algorthm that outputs a composte order blnear group N = p 1 p 2 p 3, G, G T, e. For ease of descrpton, we let G pp j denote the subgroup of order p p j n G. Let g G p1 be a random generator of G p1 and X 3 Gp3 be a random element n G p3. Assumpton 1 s that t s hard to determne whether T s a random element n G p1p 2, or a random element n G p1 gven D 1 = g, X 3 as an nput. We defne the advantage of an algorthm A that outputs b {0, 1} n solvng the frst assumpton n G to be [ ] [ Adv1 A λ = Pr A D 1, T G p1p 2 = 1 Pr A D 1, T G p1 = 1] Defnton 1. Assumpton 1 states that Adv1 A λ s neglgble for all polynomal tme algorthms A. 4

5 Let g G p1 be a random generator of G p1. Choose random elements X 1 Gp1, X 2, Y 2 Gp2 and X 3, Y 3 Gp3. Assumpton 2 s that gven the nput as D 2 = g, X 1 X 2, X 3, Y 2 Y 3, t s hard to determne whether T s a random element n G or a random element n G p1p 3. We defne the advantage of an algorthm A that outputs b {0, 1} n solvng the second assumpton n G to be Adv2 A λ = Pr [ A D 2, T G ] = 1 Pr [ A D 2, T G p1p 3 = 1] Defnton 2. Assumpton 2 states that Adv2 A λ s neglgble for all polynomal tme algorthms A. Smlarly, let g G p1 be a random generator of G p1, X 2, Y 2, Z 2 Gp2 be random elements n G p2, X 3 Gp3 be a random element n G p3, α, s Z N be random exponents chosen n Z N. Assumpton 3 states that, gven D 3 = g, g α X 2, X 3, g s Y 2, Z 2 as an nput, t s hard to determne whether T s eg, g αs, or a random element n G T. We defne the advantage of an algorthm A that outputs b {0, 1} n solvng the thrd assumpton n G to be Adv3 A λ = Pr [A D 3, T eg, g αs = 1] [ A D 3, T G T = 1] Defnton 3. Assumpton 3 states that Adv3 A λ s neglgble for all polynomal tme algorthms A. 3 Syntax 3.1 Termnology and Notatons We ntroduce several notatons to smplfy the descrpton of HIBBES. Table 1 summarzes these notatons and ther correspondng meanngs. Table 1. Notatons Notaton Descrpton Notaton Descrpton λ Securty Parameter P K Publc Key MSK Master Key CT Cphertext ID Identty ID Identty Vector I ID Identty Vector Poston SK ID Secret Key for Identty Vector ID Depth of ID S ID Identty Set Assocated wth ID V Identty Vector Set I V Identty Vector Set Poston V Depth of V S V Identty Set Assocated wth V We use [a, b] to denote the nteger set {a, a + 1,, b}. S denotes the cardnalty of the set S. For an dentty vector ID = ID 1, ID 2,, ID d, we defne ID = d as the depth of ID and S ID = {ID 1,, ID d } as the dentty set assocated wth ID. The dentty vector poston of ID s defned by I ID = { : ID S ID }. Smlarly, we defne the maxmal depth of an dentty vector set as V = max{ ID : ID V}. The assocated dentty set S V of V and the dentty vector set poston I V of V can be defned accordngly. We slghtly abuse the term prefx and defne the prefx of an dentty vector ID = ID 1,, ID d as an dentty vector set as PrefID = {ID 1,, ID d : d d}. Clearly, PrefID = ID = d. We smlarly defne the prefx of an dentty vector set V as PrefV = ID V PrefID. In practce, a user may have more than one dentty or parent node. In ths case, we treat these users as dfferent users wth the same dentty. Hence, wthout loss of generalty, we assume that each user has a unque dentty vector and can have at most one parent node. For example, assume that the users are organzed as n Fgure 1. For the user whose dentty vector s ID = ID 1, ID 3, we have that ID = 2, S ID = {ID 1, ID 3 }, and I ID = {1, 3}. The prefx of ID s PrefID = {ID 1, ID 1, ID 3 }. Smlarly, for the broadcast dentty vector set V = {ID 1, ID 3, ID 2, ID 6, ID 7 }, we have that V = max{2, 3} = 3, the dentty set assocated wth V s S V = {ID 1, ID 3, ID 2, ID 6, ID 7 }, and I V = {1, 3, 2, 6, 7}. The prefx of V s PrefV = {ID 1, ID 1, ID 3, ID 2, ID 2, ID 6, ID 2, ID 6, ID 7 } 5

6 Fg. 1. A Typcal Example of an HIBBES. 3.2 Herarchcal Identty-Based Broadcast Encrypton A D, n-hibbes conssts of fve polynomal tme algorthms: Setup, KeyGen, Delegate, Encrypt and Decrypt defned as follows: SetupD, n, λ. Takes as nputs the maxmal depth D of the herarchy, the maxmal number n of users, and the securty parameter λ. It outputs a masker key MSK and a publc key P K. EncryptP K, M, V. Takes as nputs the publc key P K, a message M n the message space M, and a recever dentty vector set V. It outputs the cphertext CT of the message M. KeyGenMSK, ID. Takes as nputs the master key MSK and an dentty vector ID. It outputs a secret key SK ID for the user whose dentty vector s ID. DelegateSK ID, ID. Takes as nputs a secret key of a user whose dentty vector s ID of depth d and an dentty ID. It returns a secret key SK ID for the user whose dentty vector s ID = ID, ID. DecryptV, CT, SK ID. Takes as nputs a recever dentty vector set V, a cphertext CT of a message M, and a secret key SK ID of a user whose dentty vector s ID. If ID PrefV, t returns M. An HIBBES must satsfy the standard consstency constrant, namely for all D n N, all P P, MSK SetupD, n, λ, all SK ID KeyGenMSK, ID or SK ID DelegateSK ID, ID wth ID D, all M M, and all CT EncryptP P, M, V wth V D and S V n, f ID PrefV, then DecryptV, CT, SK ID = M. We defne the securty noton, named Cphertext Indstngushablty aganst Adaptvely Chosen- Identty-Vector-Set and Chosen-Cphertext Attack IND-CIVS-CCA2 for HIBBE. In ths securty model, the adversary s allowed to obtan the secret keys assocated wth any dentty vectors ID of ts choce and to ssue decrypton queres for ts chosen cphertexts, provded that the adversary does not query for the secret keys of ts chosen recevers or ther supervsors, or for the challenge cphertext as one of ts chosen messages. We requre that even such an adversary cannot dstngush the encrypted messages of ts choce. IND-CIVS-CCA2 securty s defned through a game played by an adversary A and a challenger C. Both of them are gven the parameters D, n and λ as nputs. Setup. C runs Setup algorthm to obtan the publc key P K and gves t to A. Phase 1. A adaptvely ssues two knds of queres: Secret key query for an dentty vector ID. C generates a secret key for ID and gves t to A. Decrypton query for the cphertext CT wth a recever dentty vector set V. C responds by runnng algorthm KeyGen to generate a secret key SK ID for an dentty vector ID satsfyng ID PrefV. It then decrypts the cphertext CT and returns the resultng message to A. Challenge. When A decdes that Phase 1 s over, t outputs two equal-length messages M 0 and M 1 on whch A wshes to be challenged. Also, A outputs a challenge dentty vector set V whch contans all the users that A wshes to attack. The dentty vector set V should be such that for all the secret key queres for ID ssued n Phase 1, ID / PrefV. C flps a random con b {0, 1} and encrypts M b under the challenge dentty vector set V. C returns the challenge cphertext CT to A. Phase 2. A further adaptvely ssues two knds of queres: 6

7 Secret key queres for dentty vectors ID such that ID / PrefV. Decrypton queres for cphertexts CT such that CT CT. C responds the same as n Phase 1. Guess. Fnally, A outputs a guess b {0, 1} and wns n the game f b = b. The advantage of such an A n attackng the D, n-hibbes wth securty parameter λ s defned as IND CIV S CCA2 AdvA,D,n λ = Pr[b = b] 1 2 Defnton 4. A D, n-hibbes s τ, q, q d, ɛ-secure f for any τ-tme IND-CIVS-CCA2 adversary IND CIV S CCA2 A that makes at most q secret key queres and q d decrypton queres, AdvA,D,n λ < ɛ. As usual, we defne Cphertext Indstngushablty aganst Adaptvely Chosen-Identty-Vector- Set and Chosen-Plantext Attack IND-CIVS-CPA for HIBBE as n the precedng game, wth the constrant that A s not allowed to ssue any decrypton query. A s stll able to adaptvely ssue secret key queres. Defnton 5. A D, n-hibbes s τ, q, ɛ-secure f for any τ-tme IND-CIVS-CPA adversary A IND CIV S CP A that makes at most q secret key queres, we have that AdvA,D,n λ < ɛ. It s challengng to acheve full dentty/dentty-vector securty n BE and HIBE, some weaker securty notons have been proposed to brdge securty proofs or cater for specal applcatons whch requre only moderate securty levels. One useful securty noton, called selectve securty, was frst proposed by Canett, Halev, and Katz [10, 11] n IBES. In ths noton, A should commts ahead of tme to the challenge dentty t wll attack. Smlar securty notons can also be found n HIBES [1] and IBBES [14]. A counterpart securty noton can be naturally defned n HIBBES, by requrng the adversary n HIBBE to submt a challenge dentty vector set before seeng the publc parameters. Another useful securty noton, named sem-statc securty, can also be extended n HIBBES. Ths securty noton was frst defned by Gentry and Waters [21] n BES. In ths noton, A must frst commt to a set S before the Setup phase. A cannot query for secret key of any user n S, but t can attack any target set S S. Ths securty noton s weaker than full securty but stronger than selectve securty, snce A can partly decde whch set s allowed to query adaptvely. In HIBBES, a smlar securty noton can be defned by requrng A to submt an dentty vector set V before the Setup phase and later allow A to challenge any dentty vector set V PrefV. ecently, a practcal HIBBES wth moderate securty result was proposed to meet ths securty noton [32]. 4 IND-CIVS-CPA Secure HIBBE wth Constant Sze Cphertext In ths secton, we propose an IND-CIVS-CPA secure HIBBE wth constant sze cphertext over composte order blnear groups of order N = p 1 p 2 p 3. Our startng pont s the Lewko-Waters fully secure HIBES [28] whch was nspred by the Boneh-Boyen-Goh selectvely secure HIBES [2]. To support broadcast, every user n our system, nstead of every depth of herarchy n [2, 28], s assocated wth a random element for blndng ts own dentty vector n ts secret key. Snce users denttes have been randomzed by dfferent elements, users cannot reveal any nformaton about other users secret keys from ther own ones. We realze the functonaltes n G p1, whle randomzng secret keys n G p3. The G p2 space, called sem-functonal space, s only used n securty proofs. 4.1 Basc Constructon We frst assume that the dentty vectors at depth k are vector elements n Z N k. We later extend the constructon to dentty vectors over {0, 1} k by frst hashng each component ID j S ID usng a collson resstant hash functon H : {0, 1} Z N. We also assume that plantexts are elements of G T. Smlar to HIBES, we assume that users postons n HIBBE are publcly known wth the processng of KeyGen, Delegate, Encrypt and Decrypt. Our D, n-hibbes works as follows. 7

8 SetupD, n, λ. un N, G, G T, e G1 λ to generate a composte nteger N = p 1 p 2 p 3, two groups G, G T of order N, and a blnear map e : G G G T. Then, select a random generator g G p1, two random elements h G p1, X 3 Gp3, and a random exponent α Z N. Next, pck random elements u Gp1 for all [1, n]. The publc key P K ncludes the descrpton of N, G, G T, e, as well as The master key s MSK g α. g, h, u 1,, u n, X 3, eg, g α KeyGenMSK, ID. For an dentty vector ID of depth d D, the key generaton algorthm pcks a random exponent r Z N and two random elements A 0, A 1 Gp3. It then chooses random elements U j Gp3 for all j [1, n]\i ID and outputs SK ID g α h I ID r A 0, g r A 1, { u r ju j }j [1,n]\I ID DelegateSK ID, ID. Gven a secret key SK ID = g α h I ID r A 0, g r A 1, } {u r j U j j [1,n]\I ID = a 0, a 1, {b j } j [1,n]\IID the delegaton algorthm generates a secret key for ID = ID, ID as follows. It pcks a random exponent t Z N, and also chooses two random elements 0, 1 Gp3. Next, for all j [1, n]\i ID, t chooses random elements T j Gp3. The algorthm outputs SK ID = a 0 b ID h I t ID \I ID 0, a 1 g t 1, { b j u t I ID jt j }j [1,n]\I ID Note that by mplctly settng r = r + t Z N, A 0 = A 0U 0 G p3 wth I ID \I ID, A 1 = A 1 1 G p3, and U j = U j T j G p3 for all j [1, n]\i ID, ths secret key can be wrtten under the form SK ID g α h I ID r A 0, g r A 1, { u r ju j }j [1,n]\I ID whch s well-formed as f t were generated by the KeyGen algorthm. Hence SK ID s a properly dstrbuted secret key for ID = ID, ID. EncryptP P, M, V. For the recever dentty vector set V the encrypton algorthm pcks a random exponent β Z N and outputs the cphertext CT = C 0, C 1, C 2 = g β, h I V β, eg, g αβ M DecryptV, CT, SK ID. Gven the cphertext CT = C 0, C 1, C 2, any user whose dentty vector satsfes ID PrefV can use ts correspondng secret key SK ID = a 0, a 1, {b j } j [1,n]\IID to compute K = a 0 b IDj j j I V \I ID Then t outputs the message by calculatng M = C 2 ec 1, a 1 /ek, C 0. 8

9 Soundness. If the cphertext CT = C 0, C 1, C 2 s well-formed, then we have K = a 0 j = g α h r A 0 j I V \I ID b IDj I V j I V \I ID U j Note that all random elements n G p3 can be cancelled n the parng operatons due to the orthogonalty property. Therefore, for the blndng factor n C 2, the followng equaltes hold: e h β, g r A 1 I ec 1, a 1 ek, C 0 = V e g α h r, g β = e I V h e g α, g β e I V h A 0 U j j I V \I ID β, g r I V 1 r = e g, g αβ, g β It follows that C 2 ec 1, a 1 ek, C 0 = M eg, gαβ eg, g αβ = M 4.2 Securty Analyss The securty of our scheme s guaranteed by the followng Theorem. In a hgh level, the proof of our HIBBES follows the proof framework of Lewko-Waters HIBES [28], wth an extra effort to generate cphertexts for supportng broadcast. Theorem 1. Let G be a group of composte order N endowed wth an effcent blnear map. Our HIBBES s IND-CIVS-CPA secure f all the three assumptons defned n Defnton 1, Defnton 2 and Defnton 3 hold n G. To prove the IND-CIVS-CPA securty of our scheme, we apply the Dual System Encrypton technque ntroduced by Waters [40] for obtanng adaptvely secure IBES and HIBES. Ths technque has been shown to be a powerful tool for securty proofs [28, 29]. In a Dual System Encrypton system, the cphertexts and keys can take one of two ndstngushable forms: normal form and sem-functonal form. Normal keys can decrypt normal or sem-functonal cphertexts, and sem-functonal cphertexts can be decrypted by normal or sem-functonal keys. Decrypton wll fal when one uses a sem-functonal key to decrypt a sem-functonal cphertext. Snce these two knds of keys and cphertexts are ndstngushable, the smulator can replace all normal cphertexts and keys wth sem-functonal ones n the securty game. When all cphertexts and keys are sem-functonal, A obtans no nformaton about the challenge cphertext as none of the gven keys are useful to decrypt the challenge cphertext. We frst need to defne the sem-functonal key and the sem-functonal cphertext. They wll only be used n the securty proof. Let g 2 Gp2 be a random generator of G p2, the sem-functonal cphertext and the sem-functonal key are defned as follows: Sem-Functonal Cphertext. un Encrypt to construct a normal cphertext CT = C 0, C 1, C 2. Then, choose random exponents x, y c ZN and set C 0 = C 0, C 1 = C 1g xyc 2, C 2 = C 2g x 2 Sem-Functonal Key. For an dentty vector ID, run KeyGen to generate ts normal secret key SK = a 0, a 1, {b j} j [1,n]\IID 9

10 Then, choose random exponents γ, y k G N, z j G N for all j [1, n]\i ID and set a 0 = a 0g γ 2, a 1 = a 1g γy k 2, {b j = b jg γzj 2 } j [1,n]\IID Decrypt wll correctly output the message M when decryptng a sem-functonal cphertext usng a normal key or a sem-functonal key snce the added elements n G p2 wll be cancelled due to the orthogonalty property. However, the blndng factor wll be multpled by the addtonal term eg 2, g 2 xγy k y c when tryng to decrypt the sem-functonal cphertext usng a sem-functonal key, unless y k = y c wth probablty 1 N. In ths case, we call the key a nomnally sem-functonal key. In the sem-functonal secret key, the exponent y k used for blndng the second component a 1 and the exponents z j used for blndng the thrd component a 2 are chosen randomly and only appear at most twce n the securty game. Therefore, from A s vew the components n G p2 for the sem-functonal secret keys look random so that t does not helpful for A to dstngush the sem-functonal secret key from a normal one, except wth neglgble probablty 1 N when nomnally sem-functonal secret keys s concdentally generated. We prove securty by usng a sequence of games: Game eal. It s the real securty game. Game estrcted. It s dentcal wth Game eal, except that n Phase 2, A cannot ask for dentty vectors ID = ID 1,, ID d satsfyng ID = ID1,, IDd PrefV wth d d, s.t. [1, d ], ID = ID mod p 2, where V s the challenge dentty vector set. Game k. Suppose that A can make q secret key queres n Phase 1 and Phase 2. Ths game s dentcal wth the Game estrcted, except that the challenge cphertext s sem-functonal and the frst k keys are sem-functonal, whle the rest of the keys are normal. We note that n Game 0, only the challenge cphertext s sem-functonal; n Game q, the challenge cphertext and all secret keys are sem-functonal. Game Fnal. It s the same as Game q, except that the challenge cphertext s a sem-functonal encrypton of a random message n G T, not one of the messages gven by A. Gven a securty parameter λ, we respectvely represent the advantages of wnnng n the games Game eal, Game estrcted, Game k and Game Fnal by Adveal CPA λ, AdvCPA estrcted λ, AdvCPA k λ and AdvFnal CPA λ. We show that these games are ndstngushable n the followng four lemmas. Lemma 1. Suppose Assumpton 2 defned n Defnton 2 holds. Then there s no polynomal tme algorthm that can dstngush Game eal from Game estrcted wth non-neglgble advantage. Proof. If there exsts an adversary A that can dstngush Game eal from Game estrcted wth advantage ɛ, then by the defnton of Game estrcted, A can ssue a secret key query for the dentty vector ID = ID 1,, ID d from others satsfyng that ID = ID 1,, ID d PrefV wth d d, s.t. [1, d ], ID = ID mod p 2 Then a factor of N can be extracted by computng gcdid ID, N, from whch we can buld a smlar algorthm descrbed n the proof of Lemma 5 n [28] that can refute the second assumpton wth advantage Adv2 B λ ɛ /2. We omt the detals here for avodng repetton. Compared wth Game estrcted, n Game 0 the challenge cphertext s replaced wth a semfunctonal one. Snce A does not know the factor of N = p 1 p 2 p 3, t cannot determne whether the components of the challenge cphertext are n G p1 or n G p1p 2. Hence A s unable to know of whch form the gven challenge cphertext s. Ths mples ndstngushablty between Game estrcted and Game 0. Formally, we have the followng Lemma. Lemma 2. Suppose Assumpton 1 defned n Defnton 1 holds. Then there s no polynomal tme algorthm that can dstngush Game estrcted from Game 0 wth non-neglgble advantage. Proof. Suppose that there exsts an adversary A that can dstngush Game estrcted from Game 0 wth advantage ɛ 0. Then we can construct an algorthm B that can refute Assumpton 1 wth advantage Adv1 B λ ɛ 0. The nput of B s the challenge tuple g, X 3, T of Assumpton 1. B needs to determne whether T s n G p1 or n G p1p 2. B sets the publc key as follows. It randomly chooses α Z N and 10

11 γ ZN for all [0, n]. Then, t sets h g γ0 and u g γ for all [1, n]. Fnally, B gves the publc key P K g, h, u 1,, u n, X 3, eg, g α to A. It keeps the master key MSK g α to tself. Assume that A ssues a secret key query for the dentty vector ID = ID 1, ID d. B chooses random elements r, w 0, w 1 ZN and v j ZN for all j [1, n]\i, where I = { : ID S ID }. Then B returns a normal key SK ID g α h I r X w0 3, gr X w1 3, { u r } jx vj 3 j [1,n]\I When A decdes that the Challenge phase starts, t outputs two equal-length messages M 0, M 1 G T, together wth a challenge dentty vector set V. B flps a random con b {0, 1}, and returns the challenge cphertext CT C0, C1, C2 T, T γ0+ ID I γ, M b eg, T α where I = { : ID S V }. A outputs a guess that t s n Game estrcted or n Game 0. B guesses T G p1 f A decdes t s n Game estrcted. Otherwse, B outputs T G p1p 2. If T G p1, ths s a normal cphertext by mplctly settng T g β. Hence, B s smulatng Game estrcted. Otherwse, f T G p1p 2, all components n ths cphertext contan elements n subgroup G p2, thus t s a sem-functonal cphertext. In ths case, B s smulatng Game 0. If A has advantage ɛ 0 n dstngushng Game estrcted from Game 0, B can dstngush the dstrbuton of T wth advantage Adv1 B λ ɛ 0. Smlarly, Game k-1 and Game k are two ndstngushable games. The way to determne whether the k th quered key s normal or sem-functonal s to determne whether the key components are n G p1p 3 or n G N. Ths s computatonally dffcult wthout factorng N = p 1 p 2 p 3. Hence, we have the followng Lemma. Lemma 3. Suppose Assumpton 2 defned n Defnton 2 holds. Then there s no polynomal tme algorthm that can dstngush Game k-1 from Game k wth non-neglgble advantage. Proof. Suppose there exsts an adversary A that can dstngush Game k-1 from Game k wth advantage ɛ k. Then we can construct an algorthm B that can refute Assumpton 2 wth advantage Adv2 B λ ɛ k. The nput of B s the challenge tuple g, X 1 X 2, X 3, Y 2 Y 3, T of Assumpton 2. B has to answer T s n G N or n G p1p 3. B runs exactly the same as Setup n the proof of Lemma 2. The publc key can be publshed as P K g, h, u 1,, u n, X 3, eg, g α wth g g, h g γ0 and u g γ for all [1, n]. The master key s MSK g α that s kept secret to B. When recevng the l th secret key query for dentty vector ID = ID 1, ID d wth l < k, B creates a sem-functonal key to response to the query. Denote I = { : ID S ID }. B chooses random elements r, w 0, w 1 ZN and v j ZN for all j [1, n]\i. Then t returns the secret key SK ID g α h I r Y 2 Y 3 w0, g r Y 2 Y 3 w1, { u r jy 2 Y 3 vj } j [1,n]\I Ths s a well-formed sem-functonal key obtaned by mplctly settng g γ 2 = Y w0 2 and y k = w 1 /w 0. If A ssues the l th secret key query for k < l q, B calls the usual key generaton algorthm to generate a normal secret key and returns t to A. When A ssues the k th secret key query for dentty vector ID wth I = { : ID S ID }, B chooses random exponents w 0 ZN and v j ZN for all j [1, n]\i. It then outputs SK ID g α T γ0+ ID γ X I w 0 3, T, { } T γj X vj 3 j [1,n]\I 11

12 If T G p1p 3, then all components n ths secret key are n G p1p 3. Hence t s a normal secret key. Otherwse, t s a sem-functonal key by mplctly settng y k = γ 0 + I ID γ. In Challenge phase, B receves two equal-length messages M 0, M 1 G T and a challenge dentty vector set V from A. It chooses a random bt b {0, 1} and returns CT C0, C1, C2 X 1 X 2, X 1 X 2 γ0+ ID I γ, M b eg, X 1 X 2 α to A, where I = { : ID S V }. Note that ths cphertext s sem-functonal wth y c = γ 0 + ID γ. Snce from Game estrcted, I the dentty vector assocatng wth the k th secret key s not a prefx of the challenge recever dentty vector set modulo p 2, y c and y k wll seem randomly dstrbuted to A so that the relatonshp between y c and y k offers no help for A to dstngush the two games. Although hdden from A, the relatonshp between y c and y k s mportant: t prevents B from testng f the k th secret key s sem-functonal by generatng a sem-functonal cphertext for any dentty vector set V wth ID PrefV and decrypts t usng the k th key. Indeed, B only can generate a nomnally sem-functonal key for the k th key query for ID. Note that y k + ID γ = y c, where I = { : ID S ID } and I = { : ID S V }. Hence, f B tres to do that, then decrypton wll always work, even when the k th key s sem-functonal. So, usng ths method, B cannot test whether the k th key for dentty vector ID s sem-functonal or not wthout A s help. Note that ths s the only case the nomnally sem-functonal secret key s used. For other quered secret keys, the exponents used n the subgroup G p2 are randomly chosen so that the secret keys are randomly blnded by the elements n G p2 and helpless for A to wn the securty game. B fnally outputs T G p1p 3 f A outputs that t s n Game k-1, or outputs T G N f A answers that t s n Game k. If T G p1p 3, all components n the k th secret key generated by B are n G p1p 3. Hence t s a normal secret key. In ths case, B s smulatng Game k-1. Otherwse, f T G N, then the k th secret key s sem-functonal. In ths case, B s smulatng Game k. If A has advantage ɛ k n dstngushng these two games, B can also dstngush T G p1p 3 from T G N wth advantage Adv B λ ɛ k. Lemma 4. Suppose Assumpton 3 defned n Defnton 3 holds. Then there s no polynomal tme algorthm that can dstngush Game q from Game Fnal wth non-neglgble advantage. Proof. Suppose that there exsts an adversary A that can dstngush Game q from Game Fnal wth advantage ɛ F. By nvokng A as a blackbox, we buld an algorthm B refutng the thrd assumpton wth advantage Adv3 B λ ɛ F. B s gven the challenge tuple g, g α X 2, X 3, g s Y 2, Z 2, T and s requred to answer whether T s eg, g αs or a random element n G T. B randomly chooses γ ZN for all [0, n] and sets the publc key I\I P K g = g, h = g γ0, u 1 = g γ1,, u n = g γn, X 3, eg, g α = eg α X 2, g When A requests a secret key for an dentty vector ID, B chooses random exponents w 0, w 1, t 0, t 1 Z N and v j, z j ZN for all j [1, n]\i, where I = { : ID S ID }. It outputs SK ID g α X 2 h I r Z t0 2 Xw0 3, gr Z t1 2 Xw1 3, { u r } jz zj 2 Xvj 3 j [1,n]\I Note that ths secret key s sem-functonal wth g γ 2 = Zt0 2 and y k = t 1 /t 0. In the challenge phase, A outputs two equal-length messages M 0, M 1 G T, and a challenge dentty vector set V. Denote I = { : ID S V }. B chooses a random bt b {0, 1} and outputs the resultng sem-functonal cphertext CT C0, C1, C2 g s Y 2, g s Y 2 γ0+ ID I γ, M b T 12

13 Eventually, f A guesses that t s n Game q, B outputs T eg, g αs. Otherwse, B outputs T G T when A answers that t s n Game Fnal. If T eg, g αs, then B s smulatng Game q snce CT s a sem-functonal cphertext of the message M b. If T G T, then CT s a sem-functonal cphertext of a random message that s ndependent of M b. In ths case, B s smulatng Game Fnal. Hence, f A has advantage ɛ F n dstngushng these two games, then B has advantage Adv3 B λ ɛ F n dstngushng the dstrbuton of T. Snce all keys and cphertexts are sem-functonal n Game q, A can get no nformaton about the challenge cphertext snce none of the gven keys are useful to decrypt t. Therefore, A cannot notce that the challenge cphertext has been replaced by a random element. Ths mples the ndstngushablty between Game q and Game Fnal. Wth the above lemmas, these games are ndstngushable and n the fnal game the encrypted message s nformaton-theoretcally hdden from A. Therefore, the proof of Theorem 1 follows. Proof. If the three assumptons hold, then for all polynomal tme adversares A, Adv1 A λ, Adv2 A λ, and Adv3 A λ are all neglgble probablty. In Game Fnal, the cphertext has been replaced wth a random element of G T. The value of b chosen by the challenger s nformaton-theoretcally hdden from A. By applyng the Lemma 1, Lemma 2, Lemma 3 and Lemma 4, we have that Adv CPA eal λ Adv CPA eal λ Advestrctedλ CPA + Advestrctedλ CPA AdvFnalλ CPA + AdvFnalλ CPA Adv eal CPA λ Advestrctedλ CPA + + Adv q CPA λ AdvFnalλ CPA + Adv Fnalλ CPA Adv1 A λ + q + 2 Adv2 A λ + Adv3 A λ Therefore, there s no polynomal tme adversary that can break our HIBBES wth non-neglgble advantage. Ths completes the proof of Theorem 1. 5 Compact IND-CIVS-CCA2 HIBBE wth Short Cphertexts 5.1 Basc Ideas In ths secton, we construct an IND-CIVS-CCA2 secure D, n-hibbes from our IND-CIVS-CPA secure D, n + 1-HIBBES. We frst provde an overvew of the converson. We add one dummy user wth an on-the-fly dentty to the system. Ths dummy user s at depth 1,.e., a chld of the PKG. No one s allowed to obtan the secret key for the dummy user. It wll be used just for the cphertext valdty test. When encryptng a message M, the encrypton algorthm frst creates the cphertext components C 0 and C 2, whch are ndependent of the recever s dentty vector set. Then, the algorthm hashes these two elements usng a collson resstant hash functon, and assgns t as the on-the-fly dentty of the dummy user. Fnally, we compute the cphertext component C 1, as n the encrypton algorthm of CPA-secure scheme. We show that there s an effcent algorthm to verfy whether the resultng cphertext s vald or not. In one word, the cphertext valdty test can be done publcly, snce the test only nvolves the cphertext CT and the publc key P K. Ths technque s nspred by the Boyen-Me-Waters technque [9], whch apples to Waters adaptvely secure IBE [39] and Boneh-Boyen selectve-id secure IBE [1] to obtan CCA2-secure publc key cryptosystems. Boyen et al. remarked that ther technque can be extended to acheve CCA2-secure HIBES from some CPA-secure HIBES by addng one extra herarchy to the underlyng HIBES. Instead of ntroducng one extra herarchy of users to our HIBBE, we just add one extra dummy user at the frst level by explotng the broadcastng feature to enforce cphertext valdaton test. In ths way, CCA2 securty s acheved only at a margnal cost of one extra user. 5.2 The esultng Constructon For smple descrpton, we label the prevous HIBBES as HIBBE CPA wth algorthms Setup CPA, KeyGen CPA, Delegate CPA, Encrypt CPA, and Decrypt CPA. Our CCA2-secure HIBBES s denoted by HIBBE CCA2. Smlar to HIBBE CPA, we assume that the dentty vectors ID = ID 1,, ID k at depth k are vector elements n Z N k, and messages to be encrypted are elements n G T. Our resultng scheme works as follows: 13

14 SetupD, n, λ. The system frst runs Setup CPA D, n + 1, λ to generate the publc key P K g, h, u 1,, u n, u n+1, X 3, eg, g α and the master key MSK g α. A collson resstant hash functon H : G G T Z N s also ncluded n the publc key. We stress that the dummy user, assocated wth parameter u n+1, s at depth 1 and no one s allowed to obtan ts correspondng secret key. KeyGen and Delegate. These two algorthms are dentcal to KeyGen CPA and Delegate CPA. EncryptP K, M, V. For a recever dentty vector set V, denote I = { : ID S V }. The encrypton algorthm frst pcks a random β Z N and computes C 0, C 2 g β, eg, g αβ M Then, the algorthm computes ID n+1 HC 0, C 2 Z N and constructs C 1 as C 1 h u IDn+1 n+1 The algorthm fnally outputs the cphertext as CT C 0, C 1, C 2. Note that t s a vald HIBBE CPA cphertext for the recever dentty vector set V {ID n+1 }. DecryptV, CT, SK ID. Suppose the secret key for the user assocated wth dentty vector ID s I β SK ID = a 0, a 1, {b j } j [1,n+1]\I where I = { : ID S ID }. Denote I = { : ID S V }. Before decryptng the cphertext CT = C 0, C 1, C 2, the decrypton algorthm needs to frst verfy whether the cphertext s legtmate. It does ths by randomly choosng elements Z 3, Z 3 G p3 computng ID n+1 = HC 0, C 2 Z N and testng whether the followng equaton holds: eg Z 3, C 1 =? e C 0, h u IDn+1 n+1 Z 3 1 If so, the decrypton algorthm smply nvokes Decrypt CPA V {ID n+1 }, CT, SK ID to get message M. Otherwse, the cphertext s nvald and the decrypton algorthm smply outputs N U LL. emark 1. Note that the above cphertext valdty test can be done publcly snce t only nvolves publc parameters and cphertexts. It s useful for our scheme to buld advanced protocols, e.g., publcly verfable HIBBE encrypton wth CCA2 securty [13, 26, 38]. Also, t allows a gateway or frewall to flter spams.e., nvald cphertexts wthout requrng the secret keys of the recevers. Smlar functonalty has been appled to dentfy dshonest transactons n moble E-commerce scenaro [24]. I Soundness. If the cphertext s legtmate, then the followng tuple g, C 0 = g β, h u IDn+1 n+1, C 2 = h u IDn+1 n+1 I s a vald Dffe-Hellman tuple. Elements Z 3, Z 3 G p3 can be elmnated n both sdes of Equaton 1 wth the orthogonalty property. Accordngly, Equaton 1 holds. Also, ths cphertext s a vald HIBBE CPA cphertext for the recever dentty vector set V {ID n+1 } wth ID n+1 = HC 0, C 2. Snce ID PrefV V {ID n+1 }, the decrypton algorthm can decrypt the cphertext by nvokng the underlyng Decrypt CPA V {ID n+1 }, CT, SK ID. I β 14

15 5.3 Securty Analyss We now allow decrypton queres n all games defned prevously n Secton 4.2. Our smulaton works as follows. When recevng a decrypton query from the adversary, the smulator frst checks Equaton 1 to determne whether the cphertext s vald. If the equalty holds, the smulator generates a secret key for any dentty vector ID satsfyng that ID PrefV, and then uses ths key to decrypt the cphertext. In the challenge phase, the smulator creates a challenge cphertext CT = C 0, C 1, C 2 for the challenge dentty vector set V {ID n+1}, where ID n+1 = HC 0, C 2. Snce the hash functon H s collson resstant, the adversary s unable to make any vald cphertext queres that would requre the smulator to use a dentty vector set V {ID n+1} wth ID n+1 = ID n+1. Note that the adversary cannot ssue secret key query for the dummy user because t s not avalable before the smulator produces the challenge cphertext. Hence, the smulaton can be done by nvokng the underlyng HIBBE CPA. Formally, the CCA2 securty of the above scheme s guaranteed by the followng Theorem. Theorem 2. Let G be a group of composte order N endowed wth an effcent blnear map. Suppose all the three assumptons defned n Defnton 1, Defnton 2 and Defnton 3 hold n G. Then our HIBBE CCA2 s IND-CIVS-CCA2 secure. Smlarly to those n CPA securty proofs, we denote those games respectvely by GameCCA2 eal, GameCCA2 estrcted, GameCCA2 k wth k [0, q] and GameCCA2 Fnal. For a securty parameter λ, we respectvely represent the advantages of wnnng n these games by Adveal CCA2 λ, Advestrcted CCA2 λ, AdvCCA2 k λ wth k [0, q], and AdvFnal CCA2λ. The securty of our HIBBE CCA2 follows from the ndstngushablty between the these games, assumng that the three assumptons defned n Secton 2 hold. Lemma 5. Suppose that Assumpton 2 holds. Then there s no polynomal tme algorthm that can dstngush GameCCA2 eal from GameCCA2 estrcted wth non-neglgble advantage. Proof. The proof of ths lemma s dentcal wth the proof of lemma 1. Lemma 6. There s no polynomal tme algorthm that can dstngush GameCCA2 estrcted from GameCCA2 0 wth non-neglgble advantage assumng that Assumpton 1 holds. Proof. Assume that there exsts an adversary A that can dstngush GameCCA2 estrcted from GameCCA2 0 wth advantage ɛ 0. We buld an algorthm B that can refute Assumpton 1 wth advantage Adv1 B λ ɛ 0. B takes the challenge tuple g, X 3, T as nputs. The goal of B s to determne whether T s an element n G p1 or an element n G p1p 2. In the Setup phase, B randomly chooses exponents α Z N and γ ZN for all [0, n + 1]. It sets h g γ0 and u g γ for all [1, n + 1]. Fnally, B gves the publc key P K g, h, u 1,, u n, u n+1, X 3, eg, g α to A. Note that B knows the master key MSK g α. For a secret key query wth dentty vector ID = ID 1,, ID d ssued by A, B runs the usual key generaton algorthm to return the secret key. When recevng a decrypton query from A wth a cphertext CT = C 0, C 1, C 2 and a recever dentty vector set V, B frst computes ID n+1 = HC 0, C 2 and determnes whether the cphertext s vald by checkng Equaton 1 defned n Secton 5.2. If the equalty does not hold, then the cphertext s nvald and B returns NULL. Otherwse, B generates a normal key for any user whose dentty vector s ID PrefV usng the master key g α. Then, B uses ths key to decrypt the cphertext and returns the extracted message to A. In the challenge phase, A outputs two equal-length messages M 0, M 1 G T, together wth a challenge dentty vector set V. Denote I = { : ID S V }. B flps a random con b {0, 1} and returns the challenge cphertext CT C0, C1, C2 T, T γ0+ ID I γ+id n+1 γn+1, M b eg α, T 15

16 where IDn+1 = HC0, C2 = HT, M b eg α, T. Note that the components n the challenge cphertext do not nvolve elements n G p3. Therefore, for any randomly chosen elements Z 3, Z 3 G p3, the challenge cphertext s vald due to the followng equaltes: eg Z 3, C1 e C 0, h u ID n+1 n+1 u ID I Z 3 = eg Z 3, T γ0+ ID I γ+id n+1 γn+1 e T, g γ0+ = 1 ID I γ+id n+1 γn+1 Z 3 Fnally, A outputs a bt b as ts guess of t s n GameCCA2 estrcted or n GameCCA2 0. If A guesses that A s n GameCCA2 estrcted, B outputs T G p1. Otherwse, B concludes T G p1p 2. The decrypton query can be responded to perfectly, snce B can generate normal keys for arbtrary dentty vectors usng the master key g α. Wth the dentcal analyss showed n the proof of Lemma 1, f A has advantage ɛ 0 n dstngushng GameCCA2 estrcted and GameCCA2 0, then B can determne the dstrbuton of T wth advantage Adv1 B λ ɛ 0. Lemma 7. If Assumpton 2 holds, then no polynomal tme algorthm can dstngush GameCCA2 k-1 from GameCCA2 k wth non-neglgble advantage. Proof. Assume there s an adversary A that can dstngush GameCCA2 k-1 from GameCCA2 k wth advantage ɛ k. Then, by nvokng A as a blackbox, we can construct an algorthm B that refutes Assumpton 2 wth advantage Adv2 B λ ɛ k. The nput of B s an nstance g, X 1 X 2, X 3, Y 2 Y 3, T from the second assumpton. B has to decde whether T s an element n G N or an element n G p1p 3. B randomly chooses α Z N and γ ZN for all [1, n + 1]. It sends A the publc key P K g, h, u 1,, u n, u n+1, X 3, eg, g α wth h g γ0 and u g γ for all [1, n + 1]. The master key s MSK g α and s kept by B. When recevng the secret key query wth an dentty vector ID = ID 1,, ID d, B runs the same as Phase 1 n Lemma 3 to generate the secret key and returns t to A. When A ssues a decrypton query for a cphertext CT = C 0, C 1, C 2 wth a recever dentty vector set V, B sets ID n+1 = HC 0, C 2 and checks Equaton 1 descrbed n Secton 5.2. If the equalty holds, B creates a normal key for any dentty vector ID PrefV and returns the message decrypted from the cphertext CT. Otherwse t returns NULL snce the cphertext s nvald. In the Challenge phase, A outputs two equal-length messages M 0, M 1 G T, together wth an dentty vector set V as the challenge dentty vector set. Denote I = { : ID S V }. B chooses a random bt b {0, 1} and outputs the resultng cphertext CT C0, C1, C2 X 1 X 2, X 1 X 2 γ0+ ID I γ+id n+1 γn+1, M b eg, X 1 X 2 α where IDn+1 = HC0, C2 = H X 1 X 2, eg, X 1 X 2 α. Equaton 1 holds for ths cphertext snce for any Z 3, Z 3 G p3, eg Z 3, C1 e g Z 3, X 1 X 2 γ0+ ID I γ+id n+1 γn+1 e C 0, h u ID n+1 n+1 = Z 3 e X 1 X 2, g γ0+ = 1 ID I γ+id n+1 γn+1 Z 3 u ID I Therefore, ths cphertext s vald. Note that ths cphertext s sem-functonal by mplctly settng y c = γ 0 + I ID γ + ID n+1 γ n+1 Snce from GameCCA2 estrcted, A cannot ssue a secret key query wth the dentty vector that s a prefx of the challenge recever dentty vector set module p 2, y c and y k wll seem randomly 16

17 dstrbute to A. Therefore, the relatonshp between y c and y k does not gve any advantage to A for dstngushng between the two games. Though the relatonshp between y c and y k s hdden from A, ths specal settng dsallows B tself to test whether the k th key for dentty vector ID s sem-functonal. The method s to generate a sem-functonal cphertext for any dentty vector set V such that ID PrefV and to decrypt t usng the k th key. If the k th key s normal, the decrypton s correct. However, f the k th key s sem-functonal, then by the defnton of sem-functonal secret key, the k th key cannot decrypt the sem-functonal cphertext. In ths way, B may have advantage 1 to answer T G N or T G p1p 2p 3 wthout A s help. In fact, ths well-desgned secret key generated n the k th key query dsallows B to use ths method. If B tres to do that, then no matter whether the k th key s normal or sem-functonal, decrypton wll always work, because y k + ID γ + ID n+1 γ n+1 = y c, where I = { : ID S ID } and I\I I = { : ID S V }. In other words, for the k th secret key query, B can only generate a nomnally sem-functonal key. Hence decrypton s always correct by the defnton of nomnally sem-functonal key gven n Secton 4.2. If A outputs the guess that t s n GameCCA2 k-1, B answers T G p1p 3. Otherwse, A outputs that t s n GameCCA2 k, and B decdes T G N. Wth the smlar reason n the proof of Lemma 3, f A has advantage ɛ k n dstngushng the game GameCCA2 k-1 from the game GameCCA2 k, B can dstngush T G p1p 3 from T G N wth advantage Adv2 B λ ɛ k. Lemma 8. Suppose that Assumpton 3 holds. No polynomal tme algorthm that can dstngush GameCCA2 q from GameCCA2 Fnal wth non-neglgble advantage. Proof. Assume A can dstngush GameCCA2 q from GameCCA2 Fnal wth advantage ɛ F. By nvokng A as a blackbox, we buld an algorthm B refutng Assumpton 3 wth advantage Adv3 B λ ɛ F. The nput of B s the challenge tuple g, g α X 2, X 3, g s Y 2, Z 2, T of Assumpton 3. B has to answer whether T s eg, g αs or a random element n G T. B randomly chooses γ ZN for all [0, n + 1] and sets the publc key P K g = g, h = g γ0, u 1 = g γ1,, u n = g γn, u n+1 = g γn+1, X 3, eg, g α = eg α X 2, g When A requests a secret key for an dentty vector ID, B chooses random exponents w 0, w 1, t 0, t 1 Z N and v j, z j ZN for all j [1, n]\i, where I = { : ID S ID }. Then, B outputs the secret key SK ID g α X 2 h I r Z t0 2 Xw0 3, gr Z t1 2 Xw1 3, { u r } jz zj 2 Xvj 3 j [1,n]\I Note that the resultng key s sem-functonal. When B receves a decrypton query for a cphertext CT = C 0, C 1, C 2 assocated wth a recever dentty vector set V, t frst sets ID n+1 = HC 0, C 2. Then, B checks Equaton 1 to verfy the valdty of CT. If the equalty does not hold, B smply returns NULL. Otherwse, snce B knows a random generator g of G p1 and a random element X 3 G p3, t can run the same algorthm descrbed n Phase 1 to generate a sem-functonal secret key for ID PrefV and use t to decrypt CT. Although the generated secret keys are all sem-functonal, B can use them to correctly respond the decrypton queres. The reason s that A can only ssue vald normal cphertexts for decrypton queres. One one hand, A cannot generate sem-functonal cphertexts for any dentty vector sets V wthout the knowledge of the subgroup G p2, except for the challenge dentty vector set. Otherwse A can dstngush the precedng securty games by ssung a secret key query for an dentty vector ID PrefV and try to decrypt by tself. Ths has been prevented n the CPA securty proof. On the other hand, only sem-functonal cphertexts that can be obtaned by A are the ones modfed from the challenge cphertext. However, any modfcatons done by A wthout the knowledge of the subgroup G p2 for the challenge cphertext can be detected by Equaton 1. Therefore, any decrypton queres for sem-functonal cphertexts would be prevented. The secret keys would only be used to decrypt normal cphertexts and the decrypton queres can be responded correctly. 17

18 When sutable, A outputs two equal-length messages M 0, M 1 G T, and a challenge dentty vector set V. Denote I = { : ID S V }. B chooses a random bt b {0, 1} and outputs CT C0, C1, C2 g s Y 2, g s Y 2 γ0+ ID I γ+id n+1 γn+1, M b T where IDn+1 = HC0, C2 = H g s Y 2, M b T. Note that for any Z 3, Z 3 e g Z 3, g s Y 2 γ0+ eg Z 3, C1 e C 0, h u ID n+1 n+1 = Z 3 u ID I e G p3, I ID γ+id n+1 γn+1 = 1 g s Y 2, g γ0+ ID I γ+id n+1 γn+1 Z 3 Hence CT s a vald cphertext. B answers T eg, g αs f A outputs the guess that t s n GameCCA2 q. Otherwse, B determnes T G T f A guesses that t s n GameCCA2 Fnal. Smlar to the analyss of Lemma 4, B can dstngush T eg, g αs from a random element n G T wth advantage Adv3 B λ ɛ F f A has advantage ɛ F n dstngushng GameCCA2 q from GameCCA2 Fnal. Wth the four lemmas descrbed above, the securty proof of Theorem 2 follows. Proof. Snce n GameCCA2 Fnal, the cphertext has been replaced wth a random element n G T, the value of b chosen by the challenger s nformaton-theoretcally hdden from A. Hence A can obtan no advantage n breakng our HIBBES. By combnng the four lemmas shown prevously, we have that Adveal CCA2 λ Adveal CCA2 Adveal CCA2 λ Advestrctedλ CCA2 + Advestrctedλ CCA2 AdvFnal CCA2 λ + Adv CCA2 λ Adv CCA2 + + Adv CCA2 λ Adv CCA2 + estrctedλ 2 Adv2 Aλ + Adv1 Aλ + q Adv2 Aλ + Adv3 Aλ q Fnal λ Fnal λ AdvFnal CCA2 λ If the three assumptons hold, then for all polynomal tme A, Adv1 A λ, Adv2 A λ, and Adv3 A λ are all neglgble probablty. Hence for all polynomal tme algorthms, the advantage of breakng our HIBBE CCA2 s neglgble. 5.4 Effcent Tradeoff Between Cphertext Sze and Key Sze The publc/secret key sze and cphertext sze n D, n-hibbe CCA2 reman the same as those of the underlyng D, n + 1-HIBBE CPA system. The encrypton algorthm needs only one more hash operaton. The decrypton algorthm does one more hash operaton and one more extra test of Equaton 1 n whch a two-base parng s requred and can be pre-computed for [1, n]. Table 2 shows comparsons between our CPA-secure D, n+1-hibbe and our CCA2-secure D, n-hibbe n detal. In Table 2, the secret key SK ID s assocated wth the dentty vector ID, and the cphertext CT s assocated wth the recever dentty vector set V. We denote τ e as one exponent operaton tme n G, τ m as one multplcaton operaton tme n G, τ p as one parng operaton tme n G, and τ h as one hash operaton tme for the hash functon H. From Table 2, t can be seen that the addtonal overheads are margnal. HIBBE wth Shorter Secret Keys. In our HIBBES, whle the cphertext contans only three group elements, the secret key for user at depth d contans n d + 2 elements. In some scenaros, e.g., when the storage capactes of the recevers are lmted, one may expect an effcent tradeoff between key sze and cphertext sze. Note that users n an HIBBES are organzed as a tree T wth n nodes PKG as the snk s not countered. We dvde T nto T subtrees wth n nodes, where [1, T ]. To acheve better balance, as shown n Fgure 3, all the subtrees may be obtaned n a way satsfyng: 1. The number of nodes for each subtree s approxmately equal. That s, for the th subtree wth [1, T ], we have n n/t ; 2. If possble, all subtrees share mnmum number of hgher-level nodes. 18

19 Table 2. Comparson Between CPA-secure D, n + 1-HIBBE and CCA2-secure D, n-hibbe D, n + 1-HIBBE CPA D, n-hibbe CCA2 Actve Users n + 1 n P K Sze n + 5 n + 5 SK ID Sze n ID + 2 n ID + 2 CT Sze 3 3 Encrypton Tme 2 + S V τ e + τ m 2 + S V τ e + τ m + τ h Decrypton Tme 1 + S V τ e + τ m + 2τ p 1 + S V τ e + τ m + 4τ p + τ h We then mplement ndependent HIBBE nstances n each subtree. When broadcastng, one encrypts the messages wth each nstance where the broadcast subsets are the ntersecton of the orgnal broadcast set and the subtrees. Each recever can decrypt the cphertext component correspondng to ts subtree. It s clear that, by usng ths subtree method, the key sze s O n T and the cphertext sze s OT. By settng T = n, both the key sze and the cphertext sze are O n. Fg. 2. Constant Sze Cphertext HIBBE. Fg. 3. Shorter Secret keys HIBBE. 6 Concluson Ths paper extended the functonalty of HIBE to HIBBE, allowng users to encrypt to multple recevers organzed n herarchy, whle supportng delegaton of secret keys to releve the prvate key generator from heavy key management burden. The new cryptographc prmtve offers a novel avenue to establsh secure data sharng systems, or sutable dstrbuted computaton and communcaton applcatons. We constructed a CPA-secure HIBBES wth short cphertexts. We then proposed a transformaton technque to convert our basc scheme to obtan CCA2-securty. Both schemes are effcent and proven to be fully secure under three statc assumptons n the standard model. Acknowledgment Ths paper s partally supported by the Natonal Key Basc esearch Program 973 program through project 2012CB315905, by the Natural Scence Foundaton of Chna through projects , 19

20 , , , , and , by the Bejng Natural Scence Foundaton through project , by the Guangx natural scence foundaton through project 2013GXNSFBB053005, by the Fundamental esearch Funds for the Central Unverstes, the esearch Funds No. 14XNLF02 of enmn Unversty of Chna, the Innovaton Fund of Chna Aerospace Scence and Technology Corporaton, Satellte Applcaton esearch Insttute through project CXJJ-TX-10, the Open Project of Key Laboratory of Cryptologc Technology and Informaton Securty, Mnstry of Educaton, Shandong Unversty and the Open esearch Fund of Bejng Key Laboratory of Trusted Computng. eferences 1. Boneh, D., Boyen, X.: Effcent selectve-d secure dentty-based encrypton wthout random oracles. In: EUOCYPT Volume 3027 of LNCS., Sprnger Berln Hedelberg Boneh, D., Boyen, X., Goh, E.J.: Herarchcal dentty based encrypton wth constant sze cphertext. In: EUOCYPT Volume 3494 of LNCS., Sprnger Berln Hedelberg Boneh, D., Frankln, M.: Identty-based encrypton from the wel parng. In: CYPTO Volume 2139 of LNCS., Sprnger Berln Hedelberg Boneh, D., Frankln, M.: Identty-based encrypton from the wel parng. SIAM Journal on Computng Boneh, D., Gentry, C., Waters, B.: Colluson resstant broadcast encrypton wth short cphertexts and prvate keys. In: CYPTO Volume 3621 of LNCS., Sprnger Berln Hedelberg Boneh, D., Goh, E.J., Nssm, K.: Evaluatng 2-dnf formulas on cphertexts. In: TCC Volume 3378 of LNCS., Sprnger Berln Hedelberg Boneh, D., Hamburg, M.: Generalzed dentty based and broadcast encrypton schemes. In: ASIACYPT Volume 5350 of LNCS., Sprnger Berln Hedelberg Boneh, D., Katz, J.: Improved effcency for cca-secure cryptosystems bult usng dentty-based encrypton. In: CT-SA Volume 3376 of LNCS., Sprnger Berln Hedelberg Boyen, X., Me, Q., Waters, B.: Drect chosen cphertext securty from dentty-based technques. In: CCS 2005, ACM Canett,., Halev, S., Katz, J.: A forward-secure publc-key encrypton scheme. In: EUOCYPT Volume 2656 of LNCS., Sprnger Berln Hedelberg Canett,., Halev, S., Katz, J.: Chosen-cphertext securty from dentty-based encrypton. In: EUO- CYPT Volume 3027 of LNCS., Sprnger Berln Hedelberg Chen, H.C.: A trusted user-to-role and role-to-key access control scheme. Soft Computng Chen, X., L, J., Huang, X., Ma, J., Lou, W.: New publcly verfable databases wth effcent updates. IEEE Transactons on Dependable and Secure Computng Delerablée, C.: Identty-based broadcast encrypton wth constant sze cphertexts and prvate keys. In: ASIACYPT Volume 4833 of LNCS., Sprnger Berln Hedelberg Delerablée, C., Paller, P., Pontcheval, D.: Fully colluson secure dynamc broadcast encrypton wth constant-sze cphertexts or decrypton keys. In: Parng Volume 4575 of LNCS., Sprnger Berln Hedelberg Deng, H., Wu, Q., Qn, B., Domngo-Ferrer, J., Zhang, L., Lu, J., Sh, W.: Cphertext-polcy herarchcal attrbute-based encrypton wth short cphertexts. Informaton Scences Dods, Y., Fazo, N.: Publc key broadcast encrypton for stateless recevers. In: Dgtal ghts Management. Volume 2696 of LNCS., Sprnger Berln Hedelberg Fat, A., Naor, M.: Broadcast encrypton. In: CYPTO Volume 773 of LNCS., Sprnger Berln Hedelberg Gentry, C., Halev, S.: Herarchcal dentty based encrypton wth polynomally many levels. In: TCC Volume 5444 of LNCS., Sprnger Berln Hedelberg Gentry, C., Slverberg, A.: Herarchcal d-based cryptography. In: ASIACYPT Volume 2501 of LNCS., Sprnger Berln Hedelberg Gentry, C., Waters, B.: Adaptve securty n broadcast encrypton systems wth short cphertexts. In: EUOCYPT Volume 5479 of LNCS., Sprnger Berln Hedelberg Halevy, D., Shamr, A.: The lsd broadcast encrypton scheme. In: CYPTO Volume 2442 of LNCS., Sprnger Berln Hedelberg Horwtz, J., Lynn, B.: Toward herarchcal dentty-based encrypton. In: EUOCYPT Volume 2332 of LNCS., Sprnger Berln Hedelberg Huan, J., Yang, Y., Huang, X., Yuen, T.H., L, J., Cao, J.: Accountable moble e-commerce scheme va dentty-based plantext-checkable encrypton. Informaton Scences