From Selective to Full Security: Semi-Generic Transformations in the Standard Model

Transcription

1 An extended abstract of ths work appears n the proceedngs of PKC 2012 From Selectve to Full Securty: Sem-Generc Transformatons n the Standard Model Mchel Abdalla 1 Daro Fore 2 Vadm Lyubashevsky 1 1 Département d Informatque, École normale supéreure {Mchel.Abdalla,Vadm.Lyubashevsky}@ens.fr 2 Department of Computer Scence New York Unversty fore@cs.nyu.edu Abstract In ths paper, we propose an effcent, standard model, sem-generc transformaton of selectvesecure (Herarchcal) Identty-Based Encrypton schemes nto fully secure ones. The man step s a procedure that uses admssble hash functons (whose exstence s mpled by collson-resstant hash functons) to convert any selectve-secure wldcarded dentty-based encrypton (WIBE) scheme nto a fully secure (H)IBE scheme. Snce buldng a selectve-secure WIBE, especally wth a selectve-secure HIBE already n hand, s usually much less nvolved than drectly buldng a fully secure HIBE, ths transform already sgnfcantly smplfes the latter task. Ths black-box transformaton easly extends to schemes secure n the Contnual Memory Leakage (CML) model of Brakersk et al. (FOCS 2010), whch allows us obtan a new fully secure IBE n that model. We furthermore show that f a selectve-secure HIBE scheme satsfes a partcular securty noton, then t can be genercally transformed nto a selectve-secure WIBE. We demonstrate that several current schemes already ft ths new defnton, whle some others that do not obvously satsfy t can stll be easly modfed nto a selectve-secure WIBE. Keywords: Selectve securty, full securty, dentty-based encrypton.

2 Contents 1 Introducton Our results Basc Defntons Code-Based Games (Herarchcal) Identty Based Encrypton Identty Based Encrypton wth Wldcards The Contnual Memory Leakage Model Fully-Secure HIBE from Selectve-Secure WIBE Our transformaton Extensons of our transformaton Selectve WIBE schemes from selectve HIBE Securty under Correlated Randomness for HIBE From HIBE selectve-secure under Correlated Randomness to selectve-secure WIBE Our WIBE scheme A suffcent dstrbuton for buldng a WIBE A leakage-reslent WIBE scheme based on Decson Lnear 25 6 Lattce-Based WIBE Lattces and the LWE Problem Algorthms used n constructng the HIBE and WIBE Our Lattce-Based WIBE scheme Securty Proof Future Drectons 35 References 36 A A proof wthout artfcal abort 38 B HIBE Schemes Selectve-Secure under Correlated Randomness 46 B.1 The case of the Boneh-Boyen HIBE [8, 1] B.2 The case of the Boneh-Boyen-Goh HIBE [10] B.3 The case of the Waters HIBE [35]

3 1 Introducton The concept of dentty-based encrypton (IBE) s a generalzaton of the standard noton of publckey encrypton n whch the sender can encrypt messages to a user based only on the dentty of the latter and a set of user-ndependent publc parameters. In these systems, there exsts a trusted authorty, called prvate key generator, that s responsble for generatng decrypton keys for all denttes n the system. Snce beng ntroduced by Shamr n 1984 [33], IBE has receved a lot of attenton due to the fact that one no longer needs to mantan a separate publc key for each user. Despte beng an attractve concept, t was only n 2001 that the frst practcal IBE constructon was proposed based on ellptc curve parngs [13]. Later that year, Cocks proposed an alternatve IBE constructon based on the quadratc resduosty problem [23]. The now-standard defnton of securty of IBE schemes, frst suggested by Boneh and Frankln [13], s ndstngushablty under adaptve chosen-dentty attacks (we refer to t as full securty). In ths securty model, the adversary s allowed to obtan secret keys for adaptvely chosen denttes before decdng the dentty upon whch t wshes to be challenged. By allowng these queres, ths noton mplctly captures resstance aganst colluson attacks as dfferent users should be unable to combne ther keys n an attempt to decrypt cphertexts ntended to another user. In 2002, Horwtz and Lynn ntroduced the noton of herarchcal dentty-based encrypton (HIBE), whch allows ntermedate nodes to act as prvate key generators. They also provded a two-level HIBE constructon based on the Boneh-Frankln IBE scheme, but ther scheme could provde full colluson resstance only n the upper level. The frst HIBE scheme to provde full colluson resstance n all levels s due to Gentry and Slverberg [26]. Lke the Horwtz-Lynn HIBE scheme, the Gentry-Slverberg HIBE scheme was also based on the Boneh-Frankln IBE scheme and proven secure n the random-oracle model [6]. The frst HIBE to be proven secure n the standard model s due to Canett, Halev, and Katz [20], but n a weaker securty model, called the selectve-dentty model. Unlke the securty defntons used n prevous constructons of (H)IBE schemes, the selectve-dentty model requres the adversary to commt to the challenge dentty before obtanng the publc parameters of the scheme. Despte provdng weaker securty guarantees, Canett, Halev, and Katz showed that the selectve-dentty model s suffcent for buldng forward-secure encrypton schemes, whch was the man motvaton of ther paper. Although the selectve-dentty model has been consdered n many works, and s nterestng n ts own rght (e.g., t mples forward-secure publc key encrypton), f we focus solely on the (H)IBE applcaton, then the selectve noton s clearly unrealstc because t does not model the real capabltes of an adversary attackng a (H)IBE scheme. So whle the desgn of selectve-dentty secure schemes seems to be an easer task, the quest for fully secure solutons s always consdered the man goal for (H)IBE constructon. It s therefore a very nterestng problem to nvestgate whether there are ways to effcently convert a selectve secure scheme nto a fully secure one. In the random oracle model, ths queston has been resolved by Boneh, Boyen and Goh [10], who provded a very effcent black-box transformaton. In the standard model, however, no such converson s known 1, and all fully-secure (H)IBE schemes (e.g., [9], [35], [22]) had to be constructed and proved secure essentally from scratch. 1 It was shown by Boneh and Boyen n [8] that any selectve secure IBE scheme s already fully secure, but the concrete securty degrades by a factor 1/ ID, where ID s the scheme s dentty space. Snce ID s usually of exponental sze, ths converson s too expensve n terms of effcency to be consdered practcal. 1

4 1.1 Our results In ths paper, we explore the relatonshp between selectve-dentty and fully secure (H)IBE schemes n the standard model. From selectve-secure WIBE to fully-secure HIBE. Our frst man contrbuton s a generc constructon of fully-secure HIBE schemes from selectve-pattern-secure wldcarded dentty-based encrypton (WIBE) schemes. The noton of a WIBE, ntroduced by Abdalla et al. [1], s very smlar to the noton of a HIBE except that the sender can encrypt messages not only to a specfc dentty, but to a whole range of recevers whose denttes match a certan pattern defned through a sequence of fxed strngs and a specal wldcard symbol (*). The securty noton, called selectvepattern securty, requres the adversary to commt ahead of tme to the pattern P that he ntends to attack. He can then ask for the secret keys of any dentty not matchng P, and for the challenge cphertext on any pattern P matchng P. Ths noton of securty s slghtly more general and natural than that gven n [1]. Yet, as noted n Remark 2.5 at the end of Secton 2, t s satsfed by all known WIBE constructons. Our transformaton from any selectve-pattern-secure WIBE to a fully-secure HIBE s generc and reles on the noton of admssble hash functons (whose exstence s mpled by collson-resstant hash functons) ntroduced by Boneh and Boyen n [9]. Snce buldng selectve-pattern-secure WIBE schemes seems to be much easer than drectly buldng a fully secure HIBE scheme, ths transformaton already sgnfcantly smplfes the latter task. In fact, t s worth notcng that the selectve-pattern securty of all currently-known nstantatons of WIBE schemes follows from the selectve-dentty securty of ther respectve underlyng HIBE schemes (see [1]). One drect consequence of our constructon s that several exstng fully secure (H)IBE schemes can be seen as a partcular case of our transformaton. For nstance, the fully secure IBE scheme of Boneh and Boyen n [9] turns out to be a partcular case of our generc constructon when nstantated wth the selectve-pattern-secure Boneh-Boyen WIBE scheme gven n [1]. Lkewse, the fully secure HIBE by Cash, Hofhenz, Kltz, and Pekert [22] can be seen as the result of our generc transformaton when appled to our new WIBE scheme n Secton 6. Another consequence of our transformaton s that one can obtan new constructons of fully secure HIBE schemes by applyng our methodology to exstng selectve-pattern-secure WIBE schemes, such as the Boneh-Boyen-Goh WIBE n [1]. Interestngly, the result obtaned from ths nstantaton closely resembles the Waters (H)IBE scheme [35]. The transformaton n the Contnual Memory Leakage model. An mportant pont about our transformaton from WIBE to (H)IBE s that t also works n the Contnual Memory Leakage (CML) model [19, 24]. In ths model, securty s defned wth respect to an adversary that may learn a bounded number of bts related to the secret nformaton of a user, such as hs secret key, over a gven tme perod. In partcular, secret keys are updated regularly and nformaton about new secret keys and the randomness used durng ther updates may also leak to the adversary. In [19], Brakersk et al. extended the IBE constructon n [17] to obtan a selectve-secure IBE n the CML model based on the Decson Lnear assumpton. Whle Brakersk and Kala s IBE constructon can be made fully secure usng admssble hash functons as suggested n [17], a smlar result s not known to hold n the CML model. In ths paper, we show how to modfy the scheme n [19] nto a WIBE scheme and prove t selectve-pattern-secure n the CML model under the same assumpton. Then, by applyng our transformaton to ths newly-constructed WIBE, we obtan a (CML) fullysecure verson of the IBE n [19]. As n the orgnal IBE, our new IBE constructon assumes that there s no leakage from the master secret key. We observe, however, that ths restrcton s not that crtcal because, n the case of IBE, t may be reasonable to assume that the key generaton center uses strong countermeasures to avod leakng secret nformaton. 2

5 The role of WIBE n our transformaton. Somewhat surprsngly, our transformaton seems to mply that the WIBE noton s of central mportance when gong from selectve to full securty n (H)IBE. To see why, one has to take a look at our proof strategy and at the noton of Admssble hash functons (AHF). AHFs are a tool whch allows to partton the dentty space nto two subsets, B and R (both of whch are of exponental sze) so that n the securty proof the denttes of secret key queres fall n B whle the challenge dentty falls n R. In partcular, by carefully selectng the AHFs parameters (as descrbed n [9], for nstance) one can make sure that the above (good) event occurs wth non-neglgble probablty. In our proof from selectve-secure WIBE to fully-secure HIBE, the smulator frst uses AHFs to partton the dentty space nto B and R. Next, t declares to the WIBE challenger a challenge pattern whch corresponds to R, by expressng R n the form of a pattern. By the property of AHFs, f the good event occurs (for all key dervaton queres and the challenge dentty chosen by the adversary), then the smulator can easly forward all queres to the WIBE challenger. In partcular, t s guaranteed that the challenge dentty falls n R. When that happens, the smulator can output the challenge dentty chosen by the adversary as ts own challenge. We remark that the proof strategy descrbed above does not work f one starts from a selectvesecure HIBE nstead of a WIBE. Unlke the selectve-wibe smulator, the smulator aganst the selectve securty of a HIBE should commt to the challenge dentty ID at the very begnnng. And even f the smulator chooses the AHFs parameters so that all secret key queres fall n B and the challenge dentty falls n R, t stll needs to guess ID n R at the very begnnng. But the probablty that the challenge dentty chosen by the adversary matches such ID s 1/ R, whch s neglgble (recall that both B and R are of exponental sze). Selectve WIBE from selectve HIBE. The second man contrbuton of ths paper s to dentfy condtons under whch we can genercally transform a selectve-dentty-secure HIBE scheme nto a selectve-pattern-secure WIBE scheme. Towards ths goal, we ntroduce a new noton of securty for HIBE schemes, called securty under correlated randomness, whch allows us to transform a gven HIBE nto a WIBE by smply re-encryptng the same message to a partcular set of denttes by reusng the same randomness. Informally speakng, n order for a HIBE scheme to be secure under correlated randomness, t must satsfy the followng two propertes. Frst, when gven an encrypton of the same message under the same randomness for two dentty vectors ID 0 = (ID 0,1,..., ID 0,j,..., ID 0,λ ) and ID 1 = (ID 1,1,..., ID 1,j,..., ID 1,λ ) dfferng n exactly one poston (say j), one can easly generate a cphertext for any dentty vector matchng the pattern ID = (ID 1,1,..., *,..., ID 1,λ ). Secondly, when gven these two cphertexts, the adversary should not be able to generate an encrypton of the same message under the same randomness for any dentty vector that does not match the pattern. In Secton 4 we show that selectve-correlatedrandomness-secure HIBE schemes can be converted to selectve-pattern-secure WIBEs. Moreover, n Appendx B, we show that several exstng HIBE schemes already satsfy ths slghtly stronger noton of securty, e.g., [8, 10, 35], and n partcular we show that ther securty under correlated randomness black-box reduces to ther selectve-dentty securty. Hence, f we combne our frst generc transformaton from selectve-pattern-secure WIBE to fully-secure (H)IBE, together wth our second result descrbed above, we obtan a compler that allows us to construct a fully secure (H)IBE startng from a selectve-secure (H)IBE. In partcular, the resultng transformaton works n the standard model and s sem-generc because the second part assumes a specfc property of the underlyng scheme (.e., securty under correlated randomness). Nevertheless, by reducng the task of buldng fully secure HIBE schemes to that of buldng a selectve-pattern-secure WIBE scheme, we beleve that our result makes the former task sgnfcantly easer to acheve. New WIBE schemes. One fnal contrbuton of ths paper are two constructons of selectve- 3

6 pattern-secure WIBE schemes. The frst one, whose descrpton s gven n Secton 5, s obtaned by modfyng the IBE n [19]. It s based on parngs and s secure under the Decson Lnear assumpton n the CML model. Such modfcaton essentally follows the correlated-randomness paradgm. Snce for some techncal reasons (related to the specfc scheme) the selectve-pattern securty of ths WIBE cannot be blackbox reduced to the selectve-dentty securty of the related IBE (lke we do for other parng-based WIBEs), we decded to gve a drect proof under the Decson Lnear assumpton. However, we notce that such proof closely follows the one n [19]. The second WIBE s based on lattces and ts securty follows from the selectve-dentty secure HIBE constructon from [22]. Even though the Cash-Hofhenz-Kltz-Pekert HIBE scheme does not meet the noton of securty under correlated randomness ntroduced n Secton 4 (because the scheme s not secure when the same randomness s reused for encrypton), we show n Secton 6 that one can easly modfy t to obtan a selectve-pattern-secure WIBE scheme. Smlarly to the case of parngbased WIBE schemes, the selectve-pattern securty of the new WIBE can be reduced drectly to the selectve-dentty securty of the orgnal Cash-Hofhenz-Kltz-Pekert HIBE scheme. However, n ths case, t turns out to be even smpler to prove the selectve-pattern securty of our scheme drectly from the decsonal Learnng Wth Errors Problem (LWE) [32, 31]. Dscusson. In ths paper, we concentrate on buldng HIBE schemes that are adaptve-denttysecure aganst chosen-plantext attacks. As shown by Boneh, Canett, Halev, and Katz [21, 15, 12], such schemes can easly be made chosen-cphertext-secure wth the help of one-tme sgnature schemes or message authentcaton codes. Smlarly to the (H)IBE schemes by Boneh and Boyen [9], by Waters [35], and by Cash, Hofhenz, Kltz, and Pekert [22], the schemes obtaned va our transformaton are only provably secure when the maxmum herarchy s depth L s some fxed constant due to the loss of a factor whch s exponental n L. Whle for lattce-based HIBE schemes [22, 3, 4], ths seems to be the state of the art, the same s not true for parng-based HIBE schemes. More precsely, there have been several proposals n recent years (e.g., [25, 34, 29, 28]), whch are fully secure even when the HIBE scheme has polynomally many levels. Most of these schemes use a new proof methodology, known as dual system encrypton [34]. Organzaton. The paper s organzed as follows. In Secton 2, we start by recallng some standard defntons and notatons used throughout the paper. Next, n Secton 3, we present our frst man contrbuton, whch s a generc constructon whch can transform any selectve-pattern-secure WIBE nto a fully secure HIBE scheme. Then, n Secton 4, we ntroduce the noton of securty under correlated randomness for HIBE schemes and show how such schemes can be used to buld selectvepattern-secure WIBEs. Though such securty noton does not necessarly hold for all HIBE schemes, we show n Appendx B that several exstng selectve-dentty-secure HIBE schemes do meet ths noton. Next, n Sectons 5 and 6, we show two selectve-pattern-secure WIBE schemes that are obtaned by transformng, respectvely, the Brakersk-Kala-Katz-Vakuntanathan IBE and the Cash- Hofhenz-Kltz-Pekert HIBE. Fnally, n Secton 7, we summarze some future drectons left open by our work. 2 Basc Defntons In ths secton we descrbe the notaton and the basc defntons that we use n the paper. Notaton. We say that a functon s neglgble f t vanshes faster than the nverse of any polynomal. If S s a set, then x S ndcates the process of selectng x unformly at random over S. If A( ) s an algorthm then we denote wth y A( ) the operaton of runnng A (on some nput) and 4

7 assgnng the output to y. For any l N we denote wth [l] the set {1, 2,..., l}. PPT stands for probablstc polynomal tme and PTA for PPT algorthm or adversary. 2.1 Code-Based Games In ths work, we state our defntons and gve our proofs usng code-based games [7]. A game s usually defned by two procedures Intalze and Fnalze, and by other procedures that model the answers to the adversary s oracle queres. A game G s executed wth an adversary A as follows. Frst, A runs Intalze, and gets ts output. Then, A can make oracle queres by executng the correspondng procedures. At the end, before haltng, the adversary s requred to execute the procedure Fnalze whose output s the output of the game G. If b s G s output, then we denote all ths process by wrtng G A b. Usually, a game keeps a flag bad whch s ntalzed to false, and that may be set true durng the executon of the game. We denote wth Bad (resp. Good ) the event that G A sets (resp. does not set) bad true. Two games G and G j are sad dentcal-untl-bad f ther code dffers only n statements that are executed when bad s set. Bellare and Rogaway show n [7] that f G and G j are dentcal-untl-bad, and A s an adversary, then Pr[Bad ] = Pr[Bad j ]. Moreover, the fundamental lemma of game-playng [7] states that f G and G j are dentcal-untl-bad, then for any b: Pr[G A b] Pr[G A j b] Pr[Bad ]. In our work we use a varant of ths lemma formulated by Bellare and Rstenpart n [5]: Lemma 2.1 [[5]] If G and G j are dentcal-untl-bad games, and A s an adversary, then for any b: Pr[G A b Bad ] = Pr[G A j b Bad j ]. 2.2 (Herarchcal) Identty Based Encrypton A herarchcal dentty-based encrypton scheme (HIBE) s defned by a tuple of algorthms HIBE = (Setup, KeyDer, Enc, Dec), a message space M, and an dentty space ID. The algorthm Setup s run by a trusted authorty to generate a par of keys (mpk, msk) such that mpk s made publc, whereas msk s kept prvate. The users are herarchcally organzed n a tree of depth L whose root s the trusted authorty. The dentty of a user at level 1 l L s represented by a vector ID = (ID 1,..., ID l ) ID l. A user at level l wth dentty ID = (ID 1,..., ID l ) can use the key dervaton algorthm KeyDer(sk ID, ID ) to generate a secret key for any of ts chldren ID = (ID 1,..., ID l, ID l+1 ) at level l + 1. Snce ths process can be terated, every user can generate keys for all ts descendants. Then, every user holdng the master publc key mpk, can encrypt a message m M for the dentty ID by runnng C Enc(mpk, ID, m). Fnally, the cphertext C can be decrypted by runnng the determnstc decrypton algorthm, m Dec(sk ID, C). For correctness, t s requred that for all honestly generated master keys (mpk, msk) Setup, for all messages m M, all denttes ID ID l and all ID ancestors of ID, m Dec(KeyDer(msk, ID ), Enc(mpk, ID, m)) holds wth overwhelmng probablty. An IBE s defned as an HIBE wth a herarchy of depth 1. The securty of a HIBE scheme s captured by the standard noton of ndstngushablty under chosen-plantext attacks. In partcular, ths s formalzed by a game, IND-HID-CPA, that we recall n Fgure 1 usng the notaton of code-based games. The game s defned by four procedures that can be run by an adversary A and works as follows. As usual, A starts by executng Intalze and runs Fnalze before haltng. We assume that A makes at most one query ( ID, m 0, m 1 ) to 5

8 Game IND-HID-CPA procedure Intalze (mpk, msk) Setup β {0, 1} Return mpk procedure Extract( ID) sk ID KeyDer(msk, ID) Return sk ID procedure LR( ID, m 0, m 1 ) C Enc(mpk, ID, m β ) Return C procedure Fnalze(β ) Return (β = β) Game IND-sHID-CPA procedure Intalze( ID ) (mpk, msk) Setup; β {0, 1} Return mpk procedure LR(m 0, m 1 ) C Enc(mpk, ID, m β ) Return C Fgure 1: On the left the defnton of Game IND-HID-CPA. On the rght the procedures Intalze and LR of the game IND-sHID-CPA. Notce that n the latter game the procedures Extract and Fnalze are the same as those of game IND-sHID-CPA. the LR procedure, under the requrement that m 0 = m 1 (.e., the two messages have the same length), and that all the denttes submtted to Extract and LR are legtmate. For ths noton, a set of queres s sad legtmate f A never queres Extract on an dentty ID such that ID = ID or ID s an ancestor of ID. We defne the IND-HID-CPA-advantage of any adversary A aganst a HIBE scheme HIBE as Adv IND-HID-CPA HIBE (A) = 2 Pr[IND-HID-CPA A 1] 1 where IND-HID-CPA A 1 denotes that a run of the IND-HID-CPA wth adversary A outputs 1. Defnton 2.2 [IND-HID-CPA-securty] A HIBE scheme s IND-HID-CPA-secure f for any PPT adversary A, Adv IND-HID-CPA HIBE (A) s at most neglgble. In the context of herarchcal dentty-based encrypton a lot of works n the lterature also consdered a weaker noton of securty, called selectve-dentty ndstngushablty under chosenplantext attacks (IND-sHID-CPA). The man dfference wth the standard IND-HID-CPA noton s that here the adversary s requred to commt ahead of tme to the dentty that he wll use to query the LR procedure. The correspondng game s recalled n Fgure 1, on the rght. Precsely, we descrbe only the procedures Intalze and LR, as Extract and Fnalze reman the same as n the game IND-HID-CPA. The IND-sHID-CPA-advantage of any adversary A aganst a HIBE scheme HIBE s defned as Adv IND-sHID-CPA HIBE (A) = 2 Pr[IND-sHID-CPA A 1] 1 Defnton 2.3 [IND-sHID-CPA-securty] A HIBE scheme s IND-sHID-CPA-secure f for any PPT adversary A, Adv IND-sHID-CPA HIBE (A) s at most neglgble. Sometmes, n order to have a clear dstncton wth the standard noton of IND-HID-CPA, the latter s called full securty. 2.3 Identty Based Encrypton wth Wldcards The noton of Identty-Based Encrypton wth Wldcards was ntroduced by Abdalla et al. n [1] as a generalzaton of the HIBE s noton. A WIBE scheme s defned by a tuple of algorthms WIBE = (Setup, KeyDer, Enc, Dec) that works exactly as a HIBE, except that here the encrypton 6

9 algorthm takes as nput a value P (ID *) l (for 1 l L),.e., the pattern, nstead of an dentty vector. Such pattern may contan a specal don t care symbol *, the wldcard, at some levels. An dentty ID = (ID 1,..., ID l ) ID l s sad to match a pattern P (ID *) l, denoted as ID * P, f and only f l l and = 1,..., l: ID = P or P = *. Note that under ths defnton, any ancestor of a matchng dentty s also a matchng dentty. Ths makes sense for the noton of WIBE, as any ancestor can derve the secret key of a matchng descendant dentty anyway. For any pattern P (ID *) l, we denote wth W(P ) the set of ndces j [l] such that P j = *. For correctness, t s requred that for all honestly generated master keys (mpk, msk) Setup, for all messages m M, all patterns P (ID *) l and all denttes ID ID l such that ID * P, m Dec(KeyDer(msk, ID), Enc(mpk, P, m)) holds wth all but neglgble probablty. procedure Intalze(P ) (mpk, msk) Setup ; β {0, 1} Return mpk procedure Extract( ID) sk ID KeyDer(msk, ID) Return sk ID procedure LR(P, m 0, m 1 ) C Enc(mpk, P, m β ) Return C procedure Fnalze(β ) Return (β = β) Fgure 2: Game IND-sWID-CPA. Smlarly to HIBE, WIBE allows for smlar notons of securty under chosen-plantext attacks. In partcular, n our work we consder only the noton of selectve securty. Roughly speakng, t s smlar to the IND-sHID-CPA noton for HIBE, except that here the adversary has to commt to a pattern P at the begnnng of the game. Next, when he calls the LR procedure, he can provde a pattern P that matches P,.e., such that ether P s an dentty matchng P, or P s a sub-pattern of P. The securty noton s formalzed by the game IND-sWID-CPA n Fgure 2. So, we defne the IND-sWID-CPA-advantage of any adversary A aganst a WIBE scheme WIBE as Adv IND-sWID-CPA WIBE (A) = 2 Pr[IND-sWID-CPA A 1] 1 Defnton 2.4 A WIBE scheme s IND-sWID-CPA-secure f Adv IND-sWID-CPA WIBE (A) s neglgble for any PTA A. Remark 2.5 We notce that our noton of selectve-securty for WIBE schemes s slghtly more general than the one that was orgnally proposed n [1]. The man dfference s that n the orgnal work of Abdalla et al. the noton s purely selectve, meanng that the adversary declares the challenge pattern P at the begnnng of the game, and later t receves an encrypton of ether m 0 or m 1 under P. Instead, our noton allows for more flexblty. Indeed, the adversary stll declares P at the begnnng of the game, but later t may ask the challenge cphertext on a pattern P, possbly dfferent from P, but such that P matches P. We stress that ths property s not artfcal for at least two reasons. Frst, t s more general than the prevous one. Second, t s satsfed by all known WIBE schemes, and n partcular we wll show that t s satsfed by those schemes obtaned through our transformaton, from selectve-secure HIBE to selectve WIBE, that we descrbe n Secton The Contnual Memory Leakage Model In ths secton we present an extenson of the defntons of herarchcal dentty-based encrypton and wldcarded dentty-based encrypton n the Contnual Memory Leakage (CML) Model proposed 7

10 procedure Intalze (mpk, msk) Setup β {0, 1} C[ ID] ID L[ ID, 0] 0 ID Return mpk procedure Extract( ID) If C[ ID] = Then sk ID,0 KeyDer(msk, ID) C[ ID] 0 Return sk ID,C[ ID] procedure Challenge( ID ) Store ID procedure LR(m 0, m 1 ) C Enc(mpk, ID, m β ) Return C procedure Fnalze(β ) Return (β = β) Game CML-IND-HID-CPA procedure Leak(f, ID) If ID ID and ID not ancestor of ID Then Return Else contnue let C[ ID] If = Then sk ID,0 KeyDer(msk, ID) C[ ID] 0 If L[ ID, ] + f(sk ID, ) < ρ M sk L[ ID, ] L[ ID, ] + f(sk ID, ) ID, Then Return f(sk ID, ) Else Return procedure Update(f, ID) If ID ID and ID not ancestor of ID Then Return Else contnue let C[ ID] sk ID,+1 Update user (mpk, sk ID,, r) C[ ID] + 1 If L[ ID, ] + f(sk ID,, r) < ρ U sk ID, Then L[ ID, + 1] f(sk ID,, r) Return f(sk ID,, r) Else Return Fgure 3: Defnton of Game CML-IND-HID-CPA. by Brakersk et al. [19]. In partcular, we consder the model wth the restrcton that there s no leakage from the master secret key. Ths means that both the Setup and KeyDer algorthms do not leak secret nformaton. In ths settng a (H)IBE scheme s defned by the same algorthms as a standard (H)IBE wth an addtonal Update user algorthm that takes as nput the publc parameters, the secret key of some dentty ID and some randomness (from an approprate doman), and t outputs a new updated secret key for the same dentty ID. The noton of ndstngushablty under chosen-plantext attack n the CML model (that we call CML-IND-HID-CPA) s defned as follows. The game conssts of sx procedures that can be run by an adversary A and t works n the followng way. As usual, A starts by executng Intalze and runs Fnalze before haltng. The adversary can run the procedure Extract and then t s allowed one query to the procedure Challenge on some dentty ID such that ID, nor an ancestor of t, have been asked to Extract before. Next, the adversary can run procedures Extract, Leak and Update as descrbed n Fgure 3. Notce that Leak and Update can be quered on denttes ID that decrypt ID. These procedures take as nput also a computable functon f. As specfed n the fgure, such functons must have a suffcently bounded output sze. We also assume that A makes at most one query (m 0, m 1 ) to the LR pro- 8

11 cedure, under the requrement that m 0 = m 1 (.e., the two messages have the same length), and that all denttes submtted to Extract, Leak, Update and LR are legtmate. Fnally, once the adversary has quered LR t can no longer run Leak and Update. In the CML model, a set of queres s sad legtmate f A never queres Extract on an dentty ID such that ID = ID or ID s an ancestor of ID. Furthermore, the total number of bts of each secret key of ID (or of any ancestor of ID ) that are leaked through Leak and Update must be less than ρ M sk ID and ρ U sk ID respectvely. So, ρ M and ρ U represent the fracton of bts that can be leaked from the memory (.e., from a secret key) and from the update operaton (.e., from the secret key and the randomness used n the update). Notce that (ρ M, ρ U ) parametrze the securty game. We defne the CML-IND-HID-CPA-advantage of any adversary A aganst a HIBE scheme HIBE wth leakage rate (ρ M, ρ U ) as Adv CML-IND-HID-CPA HIBE (A) = 2 Pr[CML-IND-HID-CPA A 1] 1 where CML-IND-HID-CPA A 1 denotes that a run of the experment CML-IND-HID-CPA (parametrzed by (ρ M, ρ U )) wth adversary A outputs 1. Defnton 2.6 [CML-IND-HID-CPA-securty] A HIBE scheme s CML-IND-HID-CPA-secure wth leakage rate (ρ M, ρ U ) f for any PPT adversary A, Adv CML-IND-HID-CPA HIBE (A) s at most neglgble. In a very smlar way t s possble to defne the noton of selectve securty, CML-IND-sHID-CPA, for (H)IBE n the CML model. The game s descrbed by the procedures n Fgure 4. The procedures are smlar to the ones of the CML-IND-HID-CPA game, but they are a bt smpler. For consstency, n order for the game to make sense, we requre that the total number of bts of secret keys of ID (or of any ancestor of ID ) that are leaked through Leak and Update must be less than ρ M sk ID and ρ U sk ID respectvely. Defnton 2.7 [CML-IND-sHID-CPA-securty] A HIBE scheme s CML-IND-sHID-CPA-secure wth leakage rate (ρ M, ρ U ) f for any PPT adversary A, Adv CML-IND-sHID-CPA HIBE (A) s at most neglgble. WIBE n the CML model. Fnally, we extend the securty noton of WIBE to the CML model. To do ths, we defne the game CML-IND-sWID-CPA whch s smlar to IND-sWID-CPA, except that n addton t contans the procedures Leak and Update. The game s descrbed n detals n Fgure 5. The man dfference s n the defnton of what s the set of legtmate queres n ths settng. Frst, we requre that the adversary calls the LR procedure on a pattern P that matches the pattern P provded to Intalze at the begnnng of the game. Second, we requre that Leak and Update are quered on denttes matchng the challenge pattern, and that for each of these denttes the total number of leaked bts s at most ρ M sk ID and ρ U sk ID respectvely. Defnton 2.8 [CML-IND-sWID-CPA-securty] A WIBE scheme s CML-IND-sWID-CPA-secure wth leakage rate (ρ M, ρ U ) f for any PPT adversary A, Adv CML-IND-sWID-CPA WIBE (A) s at most neglgble. 3 Fully-Secure HIBE from Selectve-Secure WIBE In ths secton we concentrate on the frst part of our man result. We show how to construct a fully-secure HIBE scheme startng from any WIBE scheme that s secure only n a selectve sense. 9

12 Game CML-IND-sHID-CPA procedure Intalze( ID ) procedure Leak(f) (mpk, msk) Setup β {0, 1} L[] 0 sk ID,0 Return mpk KeyDer(msk, ID ) procedure Extract( ID) KeyDer(msk, ID) sk ID Return sk ID procedure LR(m 0, m 1 ) C Enc(mpk, ID, m β ) Return C If L[] + f(sk ID, ) < ρ M sk ID, Then L[] L[] + f(sk ID, ) Return f(sk ID, ) Else Return procedure Update(f) sk ID,+1 Update user (mpk, sk ID,, r) If L[] + f(sk ID,, r) < ρ U sk ID, Then L[ + 1] f(sk ID,, r) Return f(sk ID,, r) + 1 Else Return procedure Fnalze(β ) Return (β = β) Fgure 4: Defnton of Game CML-IND-sHID-CPA. procedure Intalze(P ) (mpk, msk) Setup β {0, 1} C[ ID] ID L[ ID, 0] 0 ID Return mpk procedure Extract( ID) If C[ ID] = Then sk ID,0 KeyDer(msk, ID) C[ ID] 0 Return sk ID,C[ ID] procedure LR(P, m 0, m 1 ) C Enc(mpk, ID, m β ) Return C procedure Fnalze(β ) Return (β = β) Game CML-IND-sWID-CPA procedure Leak(f, ID) let C[ ID] If = Then sk ID,0 KeyDer(msk, ID) C[ ID] 0 If L[ ID, ] + f(sk ID, ) < ρ M sk L[ ID, ] L[ ID, ] + f(sk ID, ) ID, Then Return f(sk ID, ) Else Return procedure Update(f, ID) let C[ ID] sk ID,+1 Update user (mpk, sk ID,, r) C[ ID] + 1 If L[ ID, ] + f(sk ID,, r) < ρ U sk ID, Then L[ ID, + 1] f(sk ID,, r) Return f(sk ID,, r) Else Return Fgure 5: Defnton of Game CML-IND-sWID-CPA. Our transformaton s black-box and makes use of admssble hash functons, a noton ntroduced by Boneh and Boyen n [9] that we recall below. Admssble Hash Functons. Admssble hash functons were frst ntroduced by Boneh and Boyen n [9] as a tool for provng the full securty of ther dentty-based encrypton scheme n 10

13 the standard model. Such functons turn out to be partcularly sutable for ths purpose as they provde a way to mplement the so-called parttonng technque, a proof methodology that allows to secretly partton the dentty space nto two sets, the blue set and the red set, both of exponental sze, so that there s a non-neglgble probablty that the adversary s secret key queres fall n the blue set and the challenge dentty falls n the red set. Ths property has been shown useful to prove the full securty of some dentty-based encrypton schemes (e.g., [9, 35, 22]). In partcular, t fts those cases when, n the reducton, one can program the smulator so that t can answer secret key queres for all the blue denttes, whereas t s prepared to generate a challenge cphertext only for red denttes. In our work we employ admssble hash functons for a smlar purpose,.e., constructng a fullysecure HIBE from a selectve-secure WIBE, and n partcular we adopt a defnton of admssble hash functons whch follows the one used by Cash et al. n [22]. The formal defnton follows. Let k N be the securty parameter, w and λ be two values that are at most polynomal n k, and Σ be an alphabet of sze s. Let H = {H : {0, 1} w Σ λ } be a famly of functons. For H H, K (Σ {*}) λ and any x {0, 1} w we defne the followng functon whch colors strngs n {0, 1} w as follows: { R f {1,..., λ} : H(x) = K F K,H (x) = or K = * B f {1,..., λ} : H(x) K For any µ {0,..., λ}, we denote wth K (λ,µ) the unform dstrbuton over (Σ {*}) λ such that exactly µ components are not *. Moreover, for every H H, K K (λ,µ), and every vector x ({0, 1} w ) Q+1 we defne the functon γ( x) = Pr[F K,H (x 0 ) = R F K,H (x 1 ) = B F K,H (x 2 ) = B F K,H (x Q ) = B]. Defnton 3.1 [Admssble Hash Functons] H = {H : {0, 1} w Σ λ } s a famly of (Q, δ mn )- admssble hash functons f for every polynomal Q = Q(k), there exsts an effcently computable functon µ = µ(k), effcently recognzable sets bad H ({0, 1} w ) and an nverse of a polynomal δ mn = 1/δ(k, Q) such that the followng propertes holds: 1. For every PPT algorthm A that, on nput H H, outputs x ({0, 1} w ) Q+1, there exsts a neglgble functon ɛ(k) such that: Adv adm H (A) = Pr[ x bad H : H H, x A(H)] ɛ(k) 2. For every H H, K K (λ,µ), and every vector x ({0, 1} w ) Q+1 \ bad H such that x 0 / {x 1,..., x Q } we have: γ( x) δ mn. 3.1 Our transformaton Let WIBE be a WIBE scheme wth dentty space ID = Σ of sze s and depth λ L, and H = {H : {0, 1} w Σ λ } be a famly of functons. Then we construct the followng HIBE scheme that has dentty space ID = {0, 1} w and depth at most L: HIBE.Setup: run (mpk, msk ) WIBE.Setup and select H 1,..., H L H. Output mpk = (mpk, H 1,..., H L ) and msk = msk. HIBE.KeyDer(msk, ID): let ID = (ID 1,..., ID l ) and defne I = (H 1 (ID 1 ),..., H l (ID l )) Σ λ l. Output sk ID = WIBE.KeyDer(msk, I). 11

14 HIBE.Enc(mpk, ID, m): let ID = (ID 1,..., ID l ) and defne I = (H 1 (ID 1 ),..., H l (ID l )) Σ λ l. Output C = WIBE.Enc(mpk, I, m). HIBE.Dec(sk ID, C): return m = WIBE.Dec(sk ID, C). Our scheme s very smple. Essentally, the HIBE algorthm uses the algorthms of the WIBE scheme n a black-box way, where each dentty component ID s frst hashed usng a functon H H. Boneh and Boyen show how to construct admssble hash functons based on collson-resstance and error-correcton, and propose some concrete parameters for ther nstantaton (whch satsfy our defnton). In partcular, for convenence of ther constructon, they consder functons that map to strngs n an alphabet Σ of sze s = 2. Here we notce that f the gven WIBE has an alphabet Σ of sze s > 2, then one can smply choose two values x 1, x 2 Σ, set Σ = {x 1, x 2 }, and then consder the same WIBE restrcted to these two denttes. The securty of our scheme follows from the followng theorem. Theorem 3.2 If H = {H : {0, 1} w Σ λ } s a famly of (Q, δ mn )-admssble hash functons, and WIBE s IND-sWID-CPA-secure, then the scheme HIBE gven n Secton 3 s IND-HID-CPA-secure, where the maxmum herarchy s depth L s some fxed constant. Proof Intuton. Although the scheme s smple, ts proof of securty s rather techncal. Therefore, we frst provde some nformal ntutons about our strategy. Intutvely speakng, the proof proceeds by showng an algorthm B that plays game IND-sWID-CPA aganst the scheme WIBE and smulates the game IND-HID-CPA to an adversary A aganst HIBE. B frst generates the parameters for the admssble hash functons, whch defne parttons B and R of the dentty space, and then t declares the set R as the challenge pattern (notce that by defnton of K K (λ,µ), R can be descrbed n a compact way usng a pattern). Next, all secret key queres made by A for denttes n B are forwarded by B to ts own challenger, and the same can be done f the challenge dentty chosen by A falls n R. In partcular, by the propertes of admssble hash functons, the event that the denttes of secret key queres fall n B and the challenge dentty falls n R occurs wth non-neglgble probablty. However, thngs are not that smple, as there may be unlucky events n whch B s unable to smulate the rght game to A and thus t needs to abort. As t already occurred n other works [35, 22], these events may not be ndependent of the adversary s vew, and one soluton s to force the smulator to run an expensve artfcal abort step. Our proof of Theorem 3.2 proceeds n ths way, requrng B to (eventually) artfcally abort at the end of the smulaton. Alternatvely, one can extend the technques ntroduced by Bellare and Rstenpart n [5] to obtan a proof of Theorem 3.2 whch avods the need of artfcal aborts. However, ths requres a slghtly dfferent defnton of admssble hash functons. In Appendx A we descrbe ths alternatve proof wthout artfcal aborts. It may be of ndependent nterest. Proof: To prove Theorem 3.2 we descrbe a sequence of games that allows to show that an adversary for the game IND-HID-CPA can be effcently turned nto an adversary for the game IND-sWID- CPA. The smulator algorthm B. In Fgure 6 we descrbe an adversary B that plays game IND-sWID-CPA aganst the scheme WIBE, by smulatng the game IND-HID-CPA to an adversary A. To avod confuson between the games IND-sWID-CPA and IND-HID-CPA, we prepend the prefx sw to the procedures of IND-sWID-CPA. In order to show that such smulaton can be carred on effcently, we proceed by descrbng a sequence of games G 0 G 8, where G 0 s the game smulated by our algorthm B, and G 8 s essentally 12

15 Algorthm B: K 1,..., K L K (λ,µ) P (K 1,..., K L ) Run mpk sw.intalze(p ) H 1,..., H L H cnt 1 mpk (mpk, H 1,..., H L ) Run A (mpk), answerng queres as follows: Extract( ID): X cnt ID, cnt cnt + 1 let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) sk ID If F H,K (ID ) = R = 1 to l Then bad true Else sk ID sw.extract( I) Return sk ID LR(ID, m 0, m 1 ): X 0 ID let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) C If [l ] : F H,K (ID ) = B Then bad true Else C sw.lr( I, m 0, m 1 ) return C let β be A s output If [L] : X bad H Then β {0, 1} If bad true η 0 for j = 1 to ks/δmn L do K 1,..., K L K (λ,µ) If L =1 (F K,H (X 0) = R F K,H (X 1) = B F K,H (X Q ) = B) Then η η + 1 δ η/ ks/δmn L Set bad true wth probablty 1 δmn L / δ If bad = true Then β {0, 1} sw.fnalze(β ) procedure Intalze: Games G 0 G K 1,..., K L K (λ,µ) 002 P (K 1,..., K L ) 003 (mpk, msk ) WIBE.Setup; β {0, 1} 004 H 1,..., H L H 005 cnt mpk (mpk, H 1,..., H L ) 007 return mpk procedure Extract( ID): Games G 0, G X cnt ID; cnt cnt let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) 012 sk ID 013 If F H,K (ID ) = R = 1 to l Then 014 bad true 015 sk ID WIBE.KeyDer(msk, I) 016 Else sk ID WIBE.KeyDer(msk, I) 017 Return sk ID procedure LR( ID, m 0, m 1 ): Games G 0, G X 0 ID 021 let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) 022 C 023 If [l ] : F H,K (ID ) = B Then 024 bad true 025 C WIBE.Enc(mpk, I, m β ) 026 Else 027 C WIBE.Enc(mpk, I, m β ) 028 return C procedure Fnalze(β ): Games G 0, G If [L] : X bad H Then β {0, 1} 031 β β 032 If bad true 033 η for j = 1 to ks/δmn L do 035 K1,..., K L K (λ,µ) 036 If L =1 (F K,H (X 0) = R F K,H (X 1) = B F K,H (X Q ) = B) Then 037 η η δ η/ ks/δ L mn 039 Set bad true wth probablty 1 δmn L / δ 040 If bad = true Then β {0, 1}, β β 041 If β = β Then return Else return 0 Fgure 6: Adversary B and descrpton of the games G 0 and G 1. 13

16 IND-HID-CPA wth some addtonal code that, however, does not condton the output. Our approach s based on code-based games where each game s defned as a set of procedures that can be run by the adversary. Before focusng on the game sequence, we frst show that the smulaton provded by B s correct whenever bad s not set, and that B plays the game IND-sWID-CPA correctly. For ease of exposton we assume that the adversary always outputs denttes of the same (maxmum) length L. However, ths can be formalzed by assumng that for any set of denttes ( ID 0,..., ID Q ) output by A, for = 1 to Q all those ID such that ID < L are padded to reach length L usng some specal symbol so that F H,K (ID j) always returns B on postons j such that ID < j L. On the other hand, f the challenge dentty has length l < L, then t s padded wth some symbol so that F H,K (ID 0 j) always returns R on postons j > l. Frst, observe that all the denttes I for whch B runs sw.extract( I) are legtmate queres, namely they do not match the challenge pattern P declared by B to sw.intalze. In the code of B, f sw.extract( I) s called, then there exsts an ndex {1,..., l} for whch F K,H (ID ) = B, namely I P (and P *), thus I * P. Second, note that the cphertext C s dstrbuted as the challenge cphertext n the game IND-HID-CPA for the scheme HIBE. However, we have also to check that the procedure sw.lr be run on an dentty I * P. To see ths, observe that the procedure s run only f bad s not set, namely when F H,K (ID ) = R for all [l ], whch s equvalent to say I * P. A crtcal part n B s smulaton s that t may set bad true and, as a consequence, B returns a random bt (bascally, t fals ts smulaton). Such bad event depends on the values K 1,..., K L chosen by B as well as on the set of denttes asked by A to Extract and LR. As shown n other works, such as [35], these cases are problematc as the event that the smulaton fals s not ndependent of the adversary s vew. Ths dffculty s overcome by ntroducng an artfcal abort event n the smulaton that allows to balance the probablty of falng so that t s suffcently ndependent of the adversary s vew. Ths s why, at the end of the smulaton, even f bad was not set, the algorthm B may abort. Precsely, the smulator B proceeds as follows. Before termnatng the smulaton, B repeats ks/δmn L tmes the followng step: t samples L vectors K 1,..., K L as at the begnnng of the smulaton, and for each sample t checks whether such choce (combned wth the gven set X of denttes returned by the adversary) would set bad true or not. At the end of ths step, B evaluates on the fly the average probablty, over the random choces of the vectors K, that bad s set, gven the set X. Let δ be such estmaton, then B sets bad true wth probablty 1 δmn L / δ. In partcular, here S s an arbtrary polynomal such that by Hoeffdng s nequalty, ks/δ L samples are suffcent to get δ δ L such that [ Γ(X) ] Pr δ δl 1 S 2 k. (1) The sequence of games. Now, let us focus on the sequence of games G 0 G 8. In partcular, the Lemma 3.3 gven below proves that we can move from the game IND-sWID-CPA played by B to game G 4. Followng the notaton gven n Secton 2, we wrte G A b to denote that an executon of game G by A returns b. Also, let Bad (resp. Good ) be the event that G sets (resp. does not set) bad true. Our adversary B and the games G 0 G 8 are descrbed n Fgures 6 and 7. When some games share a procedure wth very smlar code we use a compact descrpton wth boxed statements. If a 14

17 procedure Extract( ID): Game G X cnt ID; cnt cnt let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) 212 If F H,K (ID ) = R = 1 to l Then 213 bad true 214 sk ID WIBE.KeyDer(msk, I)( I) 215 Return sk ID procedure LR( ID, m 0, m 1 ): Game G X 0 ID 221 let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) 222 If [l ] : F H,K (ID ) = B Then 223 bad true 224 C WIBE.Enc(mpk, I, m β ) 225 return C procedure Fnalze(β ): Game G 2, G If [L] : X bad H Then β {0, 1} 231 for j = 1 to cnt do 232 let l j ID j 233 If F H,K (X j ) = R = 1 to l j Then 234 bad true 235 If [l ] : F H,K (X 0) = B Then 236 bad true 237 If bad true 238 η for j = 1 to ks/δmn L do 240 K1,..., K L K (λ,µ) 241 If L =1 (F K,H (X 0) = R F K,H (X 1) = B F K,H (X Q ) = B) Then 242 η η δ η/ ks/δ L mn 244 Set bad true wth probablty 1 δmn L / δ 245 If β = β Then return Else return 0 procedure Intalze(l ): Games G 4 G (mpk, msk ) WIBE.Setup; β {0, 1} 401 H 1,..., H L H 402 mpk (mpk, H 1,..., H L ) 403 cnt return mpk procedure Fnalze(β ): Game G If [L] : X bad H Then β {0, 1} 641 Set bad true wth probablty 1 δmn L 642 If bad = true Then β {0, 1} 643 If β = β Then return Else return 0 procedure Extract( ID): Games G 3 G X cnt ID; cnt cnt let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) 312 sk ID WIBE.KeyDer(msk, I)( I) 313 Return sk ID procedure LR( ID, m 0, m 1 ): Game G 3 G X 0 ID 321 let l = ID, I (H 1 (ID 1 ),..., H l (ID l )) 322 C WIBE.Enc(mpk, I, m β ) 323 return C procedure Fnalze(β ): Game G 4, G If [L] : X bad H Then β {0, 1} 431 K 1,..., K L K (λ,µ) 432 for j = 1 to cnt do 433 let l j ID j 434 If F H,K (X j ) = R = 1 to l j Then 435 bad true 436 If [l ] : F H,K (X 0) = B Then 437 bad true 438 If bad true 439 η for j = 1 to ks/δmn L do 441 K1,..., K L K (λ,µ) 442 If L =1 (F K,H (X 0) = R F K,H (X 1) = B F K,H (X Q ) = B) Then 443 η η δ η/ ks/δ L mn 445 Set bad true wth probablty 1 δmn L / δ 446 If bad = true Then β {0, 1} 447 If β = β Then return Else return 0 procedure Fnalze(β ): Game G If [L] : X bad H Then β {0, 1} 741 If β = β Then return Else return 0 procedure Fnalze(β ): Game G If β = β Then return Else return 0 Fgure 7: Descrpton of the Games from G 2 to G 8. 15

18 procedure s shared by games G, G j,..., G k, f G s boxed, then the code of the gven procedure n G ncludes the boxed statements, whereas ts code n the other games does not. To better understand the notaton one may look at Fgure 6 for an example. There, the Fnalze procedure s shared by games G 0 and G 1, and G 1 s wrtten n a box. Ths means that Fnalze n G 1 contans the statement β β of lne 040, whereas ths statement s not present n game G 0. Lemma 3.3 Adv IND-sWID-CPA WIBE (B) = 2 Pr[G A 4 1 Good 4 ] Pr[Good 4 ]. Proof: To prove the lemma we wll analyze the dfferences between each consecutve par of games. Frst, we focus on the code of B and game G 0. The procedure Intalze contans n lne 003 the code of sw.intalze. Moreover, lne 016 and lne 027 contan the code of sw.extract and sw.lr respectvely. Fnally, t s not hard to notce that the code of the Fnalze procedure s an equvalent mplementaton of the way B concludes ts smulaton and executes sw.fnalze. Therefore, we have: Pr[IND-sWID-CPA B 1] = Pr[G A 0 1] = Pr[G A 0 1 Bad 0 ] Pr[Bad 0 ] + Pr[G A 0 1 Good 0 ] = 1 2 Pr[Bad 0] + Pr[G A 0 1 Good 0 ] (2) where Equaton (2) s justfed from that the Fnalze procedure of G 0 outputs a random bt when bad s set. If we look at the dfferences between the games G 0 and G 1 we can observe that G 1 contans some addtonal lnes of code (hghlghted n the framed boxes). Such changes make sure that Extract and LR never return. Also, n G 1 Fnalze s modfed n lne 040 (by addng β β ) so that the procedure s output does not depend on bad = true. Snce n game G 0 the events that Extract and LR return and that Fnalze takes β at random both occur only f bad s set, then we have that G 0 and G 1 are dentcal-untl-bad. Thus, we can apply Lemma 2.1 to obtan: Pr[Bad 0 ] = Pr[Bad 1 ] and Pr[G A 0 1 Good 0 ] = Pr[G A 1 1 Good 1 ] (3) Now, let us compare games G 1 and G 2. The changes n the Extract and Fnalze procedures are only syntactcal. Lnes 015, 016 (resp. 025, 027) of G 1 have been moved to lne 214 (resp. 224) of G 2. So G 2 s equvalent to G 1 : Pr[Bad 1 ] = Pr[Bad 2 ] and Pr[G A 1 1 Good 1 ] = Pr[G A 2 1 Good 2 ] (4) Let us now consder G 2 and G 3. In game G 2, both Extract and LR may set bad n lnes and respectvely. However, ths operaton does no longer nfluence the behavor of each procedures. So, n G 3 these lnes are moved to the end of the game, nto the procedure Fnalze. Moreover, n order for ths change to be descrbed correctly, G 3 ntroduces a counter and a labelng for the quered denttes. Agan, these changes n the code are only syntactcal. Thus the two games are dentcal, and we have: Pr[Bad 2 ] = Pr[Bad 3 ] and Pr[G A 2 1 Good 2 ] = Pr[G A 3 1 Good 3 ] (5) 16

19 Fnally, we show that G 3 and G 4 are dentcally dstrbuted as well. The only change s that lne 001 of G 3 s moved to lne 431 of Fnalze n G 4. Snce n G 3 the values K 1,..., K L are used only nto Fnalze, ths code can be postponed there. Thus we have: Pr[Bad 3 ] = Pr[Bad 4 ] and Pr[G A 3 1 Good 3 ] = Pr[G A 4 1 Good 4 ] (6) Fnally, f we put together Equatons (2), (3), (4), (5) and (6) we obtan: Adv IND-sWID-CPA WIBE (B) = 2 Pr[IND-sWID-CPA B 1] 1 whch completes the proof of the Lemma. = Pr[Bad 4 ] + 2 Pr[G A 4 Good 4 ] 1 = 2 Pr[G A 4 Good 4 ] Pr[Good 4 ] (7) Next, f we look at games G 4 and G 5, we notce that the only dfference s that G 5 changes the value of β wth a random bt when bad = true. Snce ths acton s performed only f bad s set, then we have that games G 4 and G 5 are dentcal-untl-bad, and thus we can apply the restatement of the fundamental Lemma of game-playng (.e., Lemma 2.1) to obtan: Pr[Bad 4 ] = Pr[Bad 5 ] and Pr[G A 4 1 Good 4 ] = Pr[G A 5 1 Good 5 ] (8) Now, let us focus on the games G 5 and G 6. We observe that lnes of game G 5 are substtuted wth lne 641 n game G 6. In partcular, n the latter game bad s set true wth ndependent probablty 1 δmn L. Snce Pr[Good 5] = δmn L Γ(X), and the condton of Equaton (1) holds, then we obtan δ that the dfference Pr[Good 5 ] Pr[Good 6 ] = δ L mn δ Γ(X) δ holds wth probablty 1 1/2 k. Thus we have: δl mn S Pr[G A 5 1] Pr[G A 6 1] δl mn S k (9) Game G 7 s the same as G 6 except that the Fnalze procedure does not set bad. So we have: 2 Pr[G A 6 1] 1 = δ L mn(2 Pr[G A 7 1] 1) (10) Fnally, observe that game G 8 dffers from game G 7 as t does no longer contan lne 740. So, t s easy to observe that a trval reducton would show that any effcent dstngusher between the two games would reduce to the frst condton of admssble hash functons, namely: Pr[G A 8 1] Pr[G A 7 1] L Adv adm H,C (k) (11) 17

20 Fnally, one can easly note that game G 8 s essentally the same as the game IND-HID-CPA wth some addtonal book-keepng. So we can wrte: Adv IND-HID-CPA HIBE (A) = 2 Pr[G A 8 1] 1 2 Pr[G A 7 1] 1 + 2L Adv adm H (C) (12) = 2 Pr[GA 6 1] 1 δ L mn 2 Pr[GA 5 1] 1 δ L mn 2 Pr[GA 4 1 Good 4 ] Pr[Good 4 ] δ L mn AdvIND-sWID-CPA WIBE δmn L + 2L Adv adm H (C) (13) ( S + 1 ) 2 k δmn L + 2L Adv adm H (C) (14) (B) ( S + 1 ) 2 k + +2L Adv adm H (C) (15) ( S + 1 ) 2 k + 2L Adv adm H (C) (16) Equaton (12) s obtaned by applyng Equaton (11), whle Equaton (13) derves from Equaton (10). Equaton (14) s obtaned by applyng the dfference between game G 5 and G 6 noted n Equaton (9). Equaton (15) comes from that G 4 and G 5 are dentcal-untl-bad (see Equaton (8)), and fnally the last result (16) s obtaned by combnng Equatons (15) and (7). Ths completes the proof of Theorem 3.2. Due to the exponental factor L, we notce that the reducton s meanngful when the maxmum herarchy s depth L s some fxed constant. Remark 3.4 Even though our transformaton requres a WIBE scheme wth λ L levels to get a HIBE wth L levels, we observe that the HIBE key dervaton algorthm wll use the WIBE key dervaton at most L tmes. The pont s that whle L s supposed to be a constant, λ can be nstead non-constant, as t s the case for known constructons of admssble hash functons, whose output length depends on the number of secret key queres made by the adversary. Ths mght have been a problem for those WIBE schemes that do not support key dervaton (delegaton) for a polynomal number of levels, such as our lattce-based scheme n Secton Extensons of our transformaton Our transformaton easly allows for two extensons. Obtanng an IBE. If one s nterested nto constructng only an IBE, then our transformaton easly works. In partcular, we observe that to construct an IBE we can use a WIBE scheme wth herarchy of depth λ (nstead of λ L). Furthermore the WIBE does not need to satsfy the delegaton property. Therefore, we can state the followng Corollary: Corollary 3.5 Let IBE be the IBE scheme defned as HIBE usng a scheme WIBE of depth λ. If H = {H : {0, 1} w Σ λ } s a famly of (Q, δ mn )-admssble hash functons, and WIBE s INDsWID-CPA-secure (even wthout the delegaton property), then the scheme IBE descrbed above s IND-ID-CPA-secure. The transformaton n the CML model. It s nterestng to note that our transformaton from a selectve-secure WIBE to a fully-secure HIBE scheme works also n the CML model (whose 18