Identity-Based Encryption Gone Wild

Transcription

1 An extended abstract of ths paper appeared n Mchele Bugles, Bart Preneel, Vladmro Sassone, and Ingo Wegener, edtors, 33rd Internatonal Colloquum on Automata, Languages and Programmng ICALP 2006, volume 4052 of Lecture Notes n Computer Scence, Sprnger-Verlag, 2006 [ACD + 06]. Ths s the full verson. Identty-Based Encrypton Gone Wld Mchel Abdalla 1, Daro Catalano 1, Alexander W. Dent 2, John Malone-Lee 3, Gregory Neven 1,4, Ngel P. Smart 3. September 5, Département d Informatque, Ecole Normale Supéreure, 45 rue d Ulm, Pars Cedex 05, France. Emal: {Mchel.Abdalla,Daro.Catalano,Gregory.Neven}@ens.fr 2 Informaton Securty Group, Royal Holloway, Unversty of London, Egham, Surrey, TW20 0EX, Unted Kngdom. Emal: [email protected] 3 Department of Computer Scence, Unversty of Brstol, Woodland Road, Brstol, BS8 1UB, Unted Kngdom. Emal: {malone,ngel}@cs.brs.ac.uk 4 Department of Electrcal Engneerng, Katholeke Unverstet Leuven, Kasteelpark Arenberg 10, B-3001 Heverlee, Belgum. Emal: [email protected] Abstract In ths paper we ntroduce a new prmtve called dentty-based encrypton wth wldcards, or WIBE for short. It allows to encrypt messages to a whole range of users smultaneously whose denttes match a certan pattern. Ths pattern s defned through a sequence of fxed strngs and wldcards, where any strng can take the place of a wldcard n a matchng dentty. Our prmtve can be appled to provde an ntutve way to send encrypted emal to groups of users n a corporate herarchy. We propose a full securty noton and gve effcent mplementatons meetng ths noton under dfferent parng-related assumptons, both n the random oracle model and n the standard model. Keywords: Identty-based encrypton, provable securty.

2 Contents 1 Introducton 1 2 Basc Defntons 3 3 Identty-Based Encrypton wth Wldcards 5 4 A Generc Constructon 6 5 A Constructon from Waters HIBE Scheme Waters HIBE Scheme TheWa-WIBE Scheme More Effcent Constructons n the Random Oracle Model A Constructon from Boneh-Boyen s HIBE Scheme A Constructon from Boneh-Boyen-Goh s HIBE Scheme From Selectve-Identty to Full Securty Chosen-Cphertext Securty 16 Acknowledgements 20 References 20 A TheBB -HIBE Scheme 22 B TheBBG -HIBE Scheme 24

3 1 Introducton The concept of dentty based cryptography was ntroduced by Shamr as early as n 1984 [Sha85]. However, t took nearly twenty years for an effcent dentty based encrypton IBE) scheme to be proposed. In 2000 and 2001 respectvely Saka, Ohgsh and Kasahara [SOK00] and Boneh and Frankln [BF03] proposed IBE schemes based on ellptc curve parngs. Also, n 2001 Cocks proposed a system based on the quadratc resduosty problem [Coc01]. One of the man applcaton areas proposed for IBE s that of emal encrypton. In ths scenaro, gven an emal address, one can encrypt a message to the owner of the emal address wthout needng to obtan an authentc copy of the owner s publc key frst. In order to decrypt the emal the recpent must authentcate tself to a trusted authorty who generates a prvate key correspondng to the emal address used to encrypt the message. Identty-based encrypton wth wldcards. Our work s motvated by the fact that many emal addresses correspond to groups of users rather than sngle ndvduals. Consder the scenaro where there s some knd of organsatonal herarchy. Take as an example an organsaton called ECRYPT whch s dvded nto vrtual labs, say AZTEC and STVL. In addton, these vrtual labs are further subdvded nto workng groups WG1, WG2 and WG3. Fnally, each workng group may consst of many ndvdual members. There are several extensons of the IBE prmtve to such a herarchcal settng HIBE) [HL02, GS02]. The dea s that each level can ssue keys to users on the level below. For example the owner of the ECRYPT key can ssue decrypton keys for ECRYPT.AZTEC and ECRYPT.STVL. Suppose that we wsh to send an emal to all the members of the AZTEC.WG1 workng group, whch ncludes personal addresses ECRYPT.AZTEC.WG1.Ngel, ECRYPT.AZTEC.WG1.Daro and ECRYPT.AZTEC.WG1.John. Gven a standard HIBE one would have to encrypt the message to each user ndvdually. To address ths lmtaton we ntroduce the concept of dentty based encrypton wth wldcards WIBE). The way n whch decrypton keys are ssued s exactly as n a standard HIBE scheme; what dffers s encrypton. Our prmtve allows the encrypter to replace any component of the recpent dentty wth a wldcard so that any dentty matchng the pattern can decrypt. Denotng wldcards by *, n the example above the encrypter would use the dentty ECRYPT.AZTEC.WG1.* to encrypt to all members of the AZTEC.WG1 group. It s often suggested that dentty strngs should be appended wth the date so as to add tmelness to the message, and so try to mtgate the problems assocated wth key revocaton. Usng our technque we can now encrypt to a group of users, wth a partcular date, by encryptng to an dentty of the form ECRYPT.AZTEC.WG1.*.22Oct2006 for example. Thus any ndvdual n ECRYPT.AZTEC.WG1 wth a decrypton key for 22nd October 2006 wll be able to decrypt. As another example, take a herarchy of emal addresses at academc nsttutons of the form [email protected],.e., the emal address of John Smth workng at the computer scence department of Some State Unversty would be [email protected]. Usng our prmtve, one can send encrypted emal to everyone n the computer scence department at SSU by encryptng to dentty *@cs.ssu.edu, to everyone at SSU by encryptng to *@*.ssu.edu, to all computer scentsts at any nsttuton by encryptng to *@cs.*.edu, or to all system admnstrators n the unversty by encryptng to sysadmn@*.ssu.edu. Our contrbutons. In ths paper, we ntroduce the prmtve of dentty-based encrypton wth wldcards, defne approprate securty notons under chosen-plantext and chosen-cphertext attack, and present the frst nstantatons of ths prmtve. An overvew of our schemes s gven n Fgure 1. We frst show a generc constructon from any HIBE scheme whch has the dsadvantage that the sze of the secret key of a user on level l n the herarchy s exponental n l. The scheme clarfes the relatonshp between both prmtves and motvates our search for drect schemes wth effcency 1

4 Scheme mpk d C Dec Assumpton RO Generc mpk HIBE 2 L HIBE s d HIBE C HIBE Dec HIBE IND-ID-CPA No Wa-WIBE n + 1)L + 3 L + 1 n + 1)L + 2 L + 1 BDDH No BB -WIBE 2L + 3 L + 1 2L + 2 L + 1 BDDH Yes BBG -WIBE L + 4 L + 2 L L-BDHI Yes Fgure 1: Effcency and securty comparson between the generc scheme of Secton 4, thewa-wibe scheme of Secton 5.2, and thebb -WIBE andbbg -WIBE schemes presented n Secton 6.1 and Secton 6.2. The schemes are compared n terms of master publc key sze mpk ), user secret key sze d ), cphertext sze C ), decrypton tme Dec), the securty assumpton under whch the scheme s proved secure, and whether ths proof s n the random oracle model or not. The generc constructon does not ntroduce any random oracles, but f the securty proof of the HIBE scheme s n the random oracle model, then the WIBE obvously nherts ths property.) Values refer to the underlyng HIBE scheme for the generc scheme, and to the number of group elements mpk, d, C ) or parng computatons Dec) for the other schemes. L s the maxmal herarchy depth and n s the bt length of an dentty strng. Fgures are worst-case values, usually occurrng for denttes at level L wth all-wldcard cphertexts. L-BDHI refers to the decsonal blnear Dffe-Hellman nverson assumpton [MSK02, BB04]. polynomal n all parameters. TheWa-WIBE scheme s based on Waters HIBE scheme [Wat05] and provably secure n the standard.e., non-random-oracle [BR93]) model under the blnear decsonal Dffe-Hellman BDDH) assumpton. Its effcency s polynomal n all parameters, but has the dsadvantage that each wldcard adds n + 1 group elements to the cphertext. In practce, one would typcally use the output of a collson-resstant hash functon as dentty strngs, so that n 160. The resultng cphertexts may be prohbtvely long for many applcatons. Our second drect constructon, thebb -WIBE scheme, s based on the Boneh-Boyen HIBE scheme [BB04], and adds only two group elements to the cphertext for each wldcard n the recpent pattern. It s provably secure under the weaker) selectve-dentty securty noton under the BDDH assumpton. We extend an observaton of [BB04, BBG05] to the case of WIBE schemes and show how to acheve full securty n the random oracle model. Lastly, thebbg -WIBE scheme that we derve from the Boneh-Boyen-Goh [BBG05] HIBE scheme offers more effcent decrypton two parngs, versus L + 1 for the other schemes) and even shorter cphertexts f few wldcards are used. The cphertext sze s not constant, however, but depends lnearly on the number of wldcards n the recpent pattern.) The scheme s provably selectve-dentty secure under the decsonal L-blnear Dffe-Hellman nverson L-BDHI) assumpton [BBG05], whch s a stronger assumpton than BDDH. We note that all of our fully as opposed to selectve-dentty) secure constructons lose a factor exponental n L n the reducton to the underlyng assumpton. Ths lmts the secure use of our schemes to very small herarchy depths. Ths qute severe) restrcton s not so surprsng however, vewng that WIBE schemes are n fact a generalzaton of HIBE schemes, and that the same restrcton arses n all currently-known HIBE constructons. We therefore leave the constructon of a truly polynomal n terms of effcency and securty) WIBE scheme as an open problem. Fnally, we show how to acheve chosen cphertext securty n Secton 7. We adapt the technque of Canett, Halev and Katz [CHK04] and show that an L-level CCA-secure WIBE can be bult from a 2L + 2)-level CPA-secure WIBE and a strongly unforgeable one-tme sgnature scheme. 2

5 2 Basc Defntons In ths secton we ntroduce some notaton, computatonal problems and basc prmtves that we wll use throughout the rest of the paper. Let N = {0,1,...} be the set of natural numbers. Let ε be the empty strng. If n N, then {0,1} n denotes the set of n-bt strngs, and {0,1} s the set of all bt strngs. More generally, f S s a set, then S n s the set of n-tuples of elements of S, S n s the set of tuples of length at most n. If S s fnte, then x S denotes the assgnment to x of an element chosen unformly at random from S. If A s an algorthm, then y Ax) denotes the assgnment to y of the output of A on nput x, and f A s randomsed, then y Ax) denotes that the output of an executon of Ax) wth fresh cons s assgned to y. Blnear maps and related assumptons. Let G, G T be multplcatve groups of prme order p wth an admssble map ê : G G G T. By admssble we mean that the map s blnear, nondegenerate and effcently computable. Blnearty means that for all a,b Z p and all g G we have êg a,g b ) = êg,g) ab. By non-degenerate we mean that êg,g) = 1 f and only f g = 1. In such a settng we can defne a number of computatonal problems. The frst we shall be nterested n s called the blnear decsonal Dffe-Hellman BDDH) problem: gven a tuple g, A = g a,b = g b,c = g c,t), the problem s to decde whether T = êg,g) abc or whether t s a random element of G T. More formally, we defne the followng game between an adversary A and a challenger. The challenger frst chooses a random generator g G, random ntegers a,b,c Z p, a random element T G T and a random bt β. If β = 1 t feeds A as nput the tuple g,g a,g b,g c,êg,g) abc ), f β = 0 t feeds t g,g a,g b,g c,t). The adversary A must then output ts guess β for β. The adversary has advantage ǫ n solvng the BDDH problem f Pr [ A g,g a,g b,g c,êg,g) abc) = 1 ] [ Pr A g,g a,g b,g c,t ) = 1] 2ǫ, where the probabltes are over the choce of g,a,b,c,t and over the random cons of A. Defnton 2.1 The t,ǫ) BDDH assumpton holds f no t-tme adversary A has at least ǫ advantage n the above game. We note that throughout ths paper we wll assume that the tme t of an adversary ncludes ts code sze, n order to exclude trval lookup adversares. A second problem we wll use n our constructons s the l-blnear Dffe-Hellman Inverson l- BDHI) problem [MSK02, BB04]. The problem s to, compute êg,g) 1/α for random g G and α Z p gven g,g α,...,g αl). The decsonal varant of ths problem s to dstngush êg,g) 1/α from a random element of G T. We say that adversary A has advantage ǫ n solvng the decsonal l-bdhi problem f Pr [ A g,g α,...,g αl),êg,g) 1/α) ] [ = 1 Pr A g,g α,...,g αl),t ) ] = 1 2ǫ, where the probablty s over the random choce of g G, α Z p, T G T and over the cons of A. Defnton 2.2 The t, ǫ) decsonal l-bdhi assumpton holds f no t-tme adversary A has at least ǫ advantage n the above game. Identty-based encrypton schemes. An dentty-based encrypton IBE) scheme s a tuple of algorthms IB E = Setup, KeyDer, Enc, Dec) provdng the followng functonalty. The trusted authorty runs Setup to generate a master key par mpk,msk). It publshes the master publc key mpk and 3

6 keeps the master secret key msk prvate. When a user wth dentty ID wshes to become part of the system, the trusted authorty generates a user decrypton key d ID KeyDermsk,ID), and sends ths key over a secure and authentcated channel to the user. To send an encrypted message m to the user wth dentty ID, the sender computes the cphertext C Encmpk,ID,m), whch can be decrypted by the user as m Decd ID,C). We refer to [BF03] for detals on the securty defntons for IBE schemes. Herarchcal IBE schemes. In a herarchcal IBE HIBE) scheme, users are organsed n a tree of depth L, wth the root beng the master trusted authorty. The dentty of a user at level 0 l L n the tree s gven by a vector ID = ID 1,...,ID l ) {0,1} ) l. A HIBE scheme s a tuple of algorthms HIBE = Setup,KeyDer,Enc,Dec) provdng the same functonalty as n an IBE scheme, except that a user ID = ID 1,...,ID l ) at level l can use ts own secret key d ID to generate a secret key for any of ts chldren ID = ID 1,...,ID l,id l+1 ) va d ID KeyDerd ID,ID l+1 ). Note that by teratvely applyng the KeyDer algorthm, user ID can derve secret keys for any of ts descendants ID = ID 1,...,ID l+δ ), δ 0. We wll occasonally use the overloaded notaton d ID KeyDerd ID,ID l+1,...,id l+δ )) to denote ths process. The secret key of the root dentty at level 0 s d ε = msk. Encrypton and decrypton are the same as for IBE, but wth vectors of bt strngs as denttes nstead of ordnary bt strngs. For 1 l and I {1,...,l}, we wll occasonally use the notatons ID to denote the vector ID 1,...,ID ), ID > to denote ID +1,...,ID l ), and ID I to denote ID 1,...,ID I ) where 1,..., I are the elements of a set I N n ncreasng order. Also, f S N, then we defne S = {j S : j } and S > = {j S : j > }. The securty of a HIBE scheme s defned through the followng game. In a frst phase, the adversary s gven as nput the master publc key mpk of a freshly generated key par mpk,msk) Setup as nput. In a chosen-plantext attack IND-ID-CPA), the adversary s gven access to a key dervaton oracle that on nput of an dentty ID = ID 1,...,ID l ), returns the secret key d ID KeyDermsk,ID) correspondng to dentty ID. In a chosen-cphertext attack IND-ID-CCA), the adversary s addtonally gven access to a decrypton oracle that for a gven dentty ID = ID 1,...,ID l ) and a gven cphertext C returns the decrypton m DecKeyDermsk, ID), C). At the end of the frst phase, the adversary outputs two equal-length challenge messages m 0, m 1 {0,1} and a challenge dentty ID = ID 1,...,ID l ), where 0 l L. The game chooses a random bt b {0,1}, generates a challenge cphertext C Encmpk,ID,m b ) and gves C as nput to the adversary for the second phase, durng whch t gets access to the same oracles as durng the frst phase. The adversary wns the game f t outputs a bt b = b wthout ever havng quered the key dervaton oracle on any ancestor dentty ID = ID 1,...,ID l ) of ID, l l, and, addtonally, n the IND-ID-CCA case, wthout ever havng quered ID,C ) to the decrypton oracle. Defnton 2.3 A HIBE scheme s t,q K,ǫ) IND-ID-CPA-secure f all t-tme adversares makng at most q K queres to the key dervaton oracle have at most advantage ǫ n wnnng the IND-ID-CPA game descrbed above. It s sad to be t,q K,q D,ǫ) IND-ID-CCA-secure f all such adversares that addtonally make at most q D queres to the decrypton oracle have advantage at most ǫ n wnnng the IND-ID-CCA game descrbed above. In a selectve-dentty sid) attack [BB04], the adversary has to output the challenge dentty ID at the very begnnng of the game, before even seeng the master publc key. The defntons for IND-sID-CPA and IND-sID-CCA securty are otherwse dentcal to those above. In the random oracle model [BR94], all algorthms, as well as the adversary, have access to a random oracle mappng arbtrary bt strngs onto a range that possbly depends on the master publc key. All above securty defntons then take an extra parameter q H denotng the adversary s maxmum number of queres to the random oracle. 4

7 3 Identty-Based Encrypton wth Wldcards Syntax. Identty-based encrypton wth wldcards WIBE) schemes are essentally a generalsaton of HIBE schemes where at the tme of encrypton, the sender can decde to make the cphertext decryptable by a whole range of users whose denttes match a certan pattern. Such a pattern s descrbed by a vector P = P 1,...,P l ) {0,1} {*}) l, where*s a specal wldcard symbol. We say that dentty ID = ID 1,...,ID l ) matches P, denoted ID * P, f and only f l l and = 1...l : ID = P or P = *. Note that under ths defnton, any ancestor of a matchng dentty s also a matchng dentty. Ths s reasonable for our purposes because any ancestor can derve the secret key of a matchng descendant dentty anyway. More formally, a WIBE scheme s a tuple of algorthmswibe = Setup,KeyDer,Enc,Dec) provdng the followng functonalty. The Setup and KeyDer algorthms behave exactly as those of a HIBE scheme. To create a cphertext of message m {0,1} ntended for all denttes matchng pattern P, the sender computes C Encmpk,P,m). Any of the ntended recpents ID * P can decrypt the cphertext usng ts own decrypton key as m Decd ID,C). Correctness requres that for all key pars mpk,msk) output by Setup, all messages m {0,1}, all 0 l L, all patterns P {0,1} {*}) l, and all denttes ID * P, Dec KeyDermsk,ID), Encmpk,P,m) ) = m wth probablty one. Securty. We defne the securty of WIBE schemes analogously to that of HIBE schemes, but wth the adversary choosng a challenge pattern nstead of an dentty to whch the challenge cphertext wll be encrypted. To exclude trval attacks, the adversary s not able to query the key dervaton oracle on any dentty that matches the challenge pattern, nor s t able to query the decrypton oracle on the challenge cphertext n combnaton wth any dentty matchng the challenge pattern. More formally, securty s defned through the followng game wth an adversary. In the frst phase, the adversary s run on nput the master publc key of a freshly generated key par mpk,msk) Setup. In a chosen-plantext attack IND-WID-CPA), the adversary s gven access to a key dervaton oracle that on nput ID = ID 1,...,ID l ) returns d ID KeyDermsk, ID). In a chosen-cphertext attack IND-WID-CCA), the adversary addtonally has access to a decrypton oracle that on nput a cphertext C and an dentty ID = ID 1,...,ID l ) returns m DecKeyDermsk,ID),C). At the end of the frst phase, the adversary outputs two equal-length challenge messages m 0,m 1 and a challenge pattern P = P1,...,P l ) where 0 l L. The adversary s gven a challenge cphertext C Encmpk,P,m b ) for a randomly chosen bt β, and s gven access to the same oracles as durng the frst phase of the attack. The second phase ends when the adversary outputs a bt β. The adversary s sad to wn the IND-WID-CPA game f β = β and f t never quered the key dervaton oracle for the keys of any dentty that matches the target pattern.e., any ID such that ID * P ). Also, n a chosen-cphertext attack IND-WID-CCA), the adversary cannot query the decrypton oracle on C n combnaton wth any dentty ID * P matchng the challenge pattern. Defnton 3.1 A WIBE scheme s t,q K,ǫ) IND-WID-CPA-secure f all t-tme adversares makng at most q K queres to the key dervaton oracle have at most advantage ǫ n wnnng the IND-WID-CPA game descrbed above. It s sad to be t,q K,q D,ǫ) IND-WID-CCA-secure f all such adversares that addtonally make at most q D queres to the decrypton oracle have advantage at most ǫ n wnnng the IND-WID-CCA game descrbed above. As for the case of HIBEs, we also defne a weaker selectve-dentty swid) securty noton, n whch the adversary commts to the challenge pattern at the begnnng of the game, before the master publc key s made avalable. The notons of IND-sWID-CPA and IND-sWID-CCA securty are defned analogously to the above. In the random oracle model, the addtonal parameter q H denotes the adversary s maxmum number of queres to the random oracle, or the total number of queres to all random oracles when t has access to multple ones. 5

8 4 A Generc Constructon We frst pont out that a generc constructon of a WIBE scheme exsts based on any HIBE scheme, but wth a secret key sze that s exponental n the depth of the herarchy tree. Let * denote a dedcated btstrng that cannot occur as a user dentty. Then the secret key of a user wth dentty ID 1,...,ID l ) n the WIBE scheme contans the HIBE secret keys of all patterns matchng ths dentty. For example, the secret key of dentty ID 1,ID 2 ) contans four HIBE secret keys, namely those correspondng to denttes ID 1,ID 2 ), *,ID 2 ),ID 1, * ), *, * ). In general, the secret key of ID 1,...,ID l ) contans the HIBE secret keys of all 2 l denttes ID 1,...,ID l ) such that ID = ID or ID = * for all = 1,...,l. To encrypt to a pattern P 1,...,P l ), one uses the HIBE scheme to encrypt to the dentty obtaned by replacng each wldcard n the pattern wth the * strng,.e. the dentty ID 1,...,ID l ) where ID = * f P = * and ID = P otherwse. Decrypton s done by selectng the approprate secret key from the lst and usng the decrypton algorthm of the HIBE scheme. The effcency of the WIBE scheme thus obtaned s roughly the same as that of the underlyng HIBE scheme, but wth the major dsadvantage that the sze of the secret key s 2 l tmes that of a secret key n the underlyng HIBE scheme. Ths s hghly undesrable for many applcatons, especally snce the secret key may very well be kept on an expensve, secure storage devce. Moreover, from a theoretcal pont of vew, t s nterestng to nvestgate whether WIBE schemes exst wth overhead polynomal n all parameters. We answer ths queston n the affrmatve here by presentng drect schemes wth secret key sze lnear n l. Unfortunately, for all of our schemes, ths reducton n key sze comes at the cost of lnear-sze cphertexts, whle the generc scheme can acheve contant-sze cphertexts when underlan by a HIBE wth constant cphertext sze, e.g. that of [BBG05]. Another related prmtve s fuzzy dentty-based encrypton FIBE) [SW05], whch allows a cphertext encrypted to dentty ID to be decrypted by any dentty ID that s close to ID accordng to some metrc. In the schemes of [SW05], an dentty s a subset contanng n elements from a fnte unverse. Two denttes ID and ID are consdered close f ID ID d for some parameter d. Such a FIBE scheme could be used to construct a lmted WIBE scheme wthout herarchcal key dervaton) by lettng dentty ID 1,...,ID n ) correspond to the set {1 ID 1,...,l ID n }. To encrypt to a pattern P = P 1,...,P n ) contanng n d wldcards, one uses the FIBE scheme to encrypt to the set {P 1,...,P n } where P = P f P * and P = * f P = *. The schemes of [SW05] requre n, d to be fxed beforehand. Varable dentty lengths l and number of wldcards w can be accomodated for by settng n = 2L, d = L and by lettng the set correspondng to dentty ID 1,...,ID l ) be {1 ID 1,...,l ID l, l + 1) ε,...,l ε, 1 *,...,L * }. One can then encrypt to pattern P 1,...,P l ) by encryptng to the set {1 P 1,...,l P l, l + 1) ε,...,2l ε}, where the P are defned as above. 5 A Constructon from Waters HIBE Scheme 5.1 Waters HIBE Scheme Waters [Wat05] argued that hs IBE scheme can easly be modfed nto a L-level HIBE scheme as per [BB04]. Here we explctly present ths constructon, that we refer to as thewa-hibe scheme, as t wll be useful n the understandng of our frst constructon of a WIBE scheme. Setup. The trusted authorty chooses random generators g 1,g 2,u 1,0,...,u L,n G and a random value α Z p, where L s the maxmum herarchy depth and n s the length of an dentty strng. Next, t computes h 1 g1 α and h 2 g2 α. The master publc key s mpk = g 1,g 2,h 1,u 1,0,...,u L,n ), the correspondng master secret key s msk = h 2. 6

9 Key Dervaton. A user s dentty s gven by a vector ID = ID 1,...,ID l ) where each ID s a n-bt strng, applyng a collson-resstant hash functon f necessary. When we wrte j ID, we mean that the varable j terates over all bt postons 1 j n where the j-th bt of ID s one. Usng ths notaton, for = 1,..., L, we defne the functon F ID ) = u,0 j ID u,j where the u,j are the elements n the master publc key. To compute the decrypton key for dentty ID from the master secret key, frst random values r 1,...,r l Z p are chosen, then the prvate key d ID s constructed as ) l a 0,a 1,...,a l ) = h 2 F ID ) r, g r 1 1,...,gr l 1. =1 A secret key for dentty ID = ID 1,...,ID l ) can be computed by ts parent wth dentty ID 1,...,ID l 1 ) as follows. Let a 0,a 1,...,a l 1 ) be the parent s secret key. It chooses r l Z p and outputs d ID = a 0 F ID ) r l, a 1,...,a l 1, g r l 1 ). Encrypton. To encrypt a message m G T for dentty ID = ID 1,...,ID l ), the sender chooses t Z p and computes the cphertext C = C 1,C 2,C 3 ) as C 1 g t 1, C 2 C 2, = F ID ) t) =1,...,l, C 3 m êh 1,g 2 ) t. Decrypton. If the recever s the root authorty.e., the empty dentty ID = ε) holdng the master key msk = h 2, then he can recover the message by computng m C 3 /êc 1,h 2 ). Any other recever wth dentty ID = ID 1,...,ID l ) and decrypton key d ID = a 0,a 1,...,a l ) decrypts a cphertext C = C 1,C 2,C 3 ) as follows. l =1 C 3 ê a,c 2, ) êc 1,a 0 ) l = m êh 1,g 2 ) t =1 ê g r 1,F ID ) t) ê g1 t,h ) l 2 =1 F ID ) r l = m êh 1,g 2 ) t =1 ê g r 1,F ID ) t) ) êg1 t,h 2) ê g1 t, l =1 F ID ) r = m êgα 1,g 2) t l ê g1 t,gα 2 ) =1 ê g r 1,F ID ) t) l =1 ê gt 1,F = m ID ) r ) Waters [Wat05] nformally states that the above HIBE scheme s IND-ID-CPA secure under the BDDH assumpton, n the sense that f there exsts a t,q K,ǫ)-adversary aganst the HIBE, then there exsts an algorthm solvng the BDDH problem wth advantage ǫ = Onq K ) L ǫ). 5.2 TheWa-WIBE Scheme We frst ntroduce some addtonal notaton. If P = P 1,...,P l ) s a pattern, then let P = l be the length of P, let WP) be the set contanng all wldcard ndces n P,.e. the ndces 1 l such that P = *, and let WP) be the complementary set contanng all non-wldcard ndces. Clearly WP) WP) = and WP) WP) = {1,...,l}. We also extend the notatons P, P > and P I that we ntroduced for dentty vectors to patterns n the natural way. 7

10 Intutvely, we adapt the W a-h IB E scheme to support wldcards by observng that the cphertext components C 2, are actually products of u t,0 and those factors ut,j for whch the j-th bth of ID s one. If we nclude these factors separately n the cphertext, nstead of ther product, then we can postpone the computaton of the product to decrypton tme and let each recpent combne the factors correspondng to hs own dentty. Of course, one stll needs to show that gvng away these factors n the cphertext does not affect securty. We frst descrbe our constructon n more detal, and subsequently show n Theorem 5.1 that ts securty s mpled by that of thewa-hibe scheme. We buld a WIBE schemewa-wibe from thewa-hibe scheme wth Setup and KeyDer algorthms dentcal to those of thewa-hibe scheme, and wth encrypton and decrypton algorthms that work as follows. Encrypton. To encrypt a message m G T to all denttes matchng pattern P = P 1,...,P l ), the sender chooses t Z p and outputs the cphertext C = P,C 1,C 2,C 3,C 4 ), where C 1 g t 1 C 3 m êh 1,g 2 ) t C 2 C 2, = F P ) t) WP) C 4 C 4,,j = u t,j WP), j=0,...,n Decrypton. If the recever s the root authorty.e., the empty dentty ID = ε) holdng the master key msk = h 2, then t can recover the message by computng C 3 /êc 1,h 2 ). Any other recever wth dentty ID = ID 1,...,ID l ) matchng the pattern P to whch the cphertext was created ).e., ID * P) can decrypt the cphertext C = P,C 1,C 2,C 3,C 4 ) by computng C 2 C = 2, =1,...,l as C 2, = F ID ) t { C 2, f WP) C 4,,0 j ID C 4,,j f WP) l and by usng hs secret key to decrypt the cphertext C = C 1,C 2,C 3) va the Dec algorthm of thewa-hibe scheme. The master publc key of thewa-wibe scheme contans n + 1)L + 3 group elements. Encryptng to a pattern of length l contanng w wldcards comes at the cost of l + nw + 2 exponentatons and l + nw + 2 group elements n the cphertext; n the worst case of l = w = L ths means n + 1)L + 2 exponentatons and group elements. The parng êh 1,g 2 ) can be precomputed.) Decrypton requres the computaton of l + 1 parngs. In terms of effcency, thewa-wibe scheme performs well enough to be consdered for use n practce, but defntely leaves room for mprovement. The man problem s the dependency of the scheme on n, the bt length of dentty strngs. In practce, one would typcally use the output of a collson-resstant hash functon as dentty strngs, so that n = 160 for a reasonable level of securty. We note that the technques of [CS06, Nac05] could be appled to trade a factor d of effcency aganst losng a factor 2 Ld n the tghtness of the reducton. We now prove the securty of thewa-wibe scheme. To make the proof more modular, and to avod repeatng the work of [Wat05], we do ths by reducng to the securty of the W a-h IB E scheme, rather than to the BDDH problem drectly. Theorem 5.1 If thewa-hibe of depth L s t,q K,ǫ) IND-ID-CPA-secure, then thewa-wibe scheme of depth L s t,q K,ǫ ) IND-WID-CPA-secure for all t t Ln1 + q K ) t exp, q K q K, and ǫ ǫ/2 L, and t exp s the tme t takes to perform an exponentaton n G. 8

11 Proof: The proof of Theorem 5.1 s by contradcton. That s, we frst assume that there exsts an adversary A that breaks the IND-WID-CPA-securty of thewa-wibe scheme and then we show how to effcently buld another adversary B whch uses A to break the securty of thewa-hibe scheme. Let mpk H = g 1,g 2,h 1,u 1,0,...,u L,n ) be the master publc key of thewa-hibe scheme that adversary B receves as nput for ts frst phase. The dea of the proof s that B wll guess upfront where n the challenge pattern P the wldcards are gong to be, and project the non-wldcard levels of the dentty tree of the WIBE scheme onto the frst levels of the HIBE scheme. In partcular, B wll reuse values u,j from mpk H for the non-wldcard levels, and wll embed new values u,j values of whch B knows the dscrete logarthms for wldcard levels. Frst, B guesses a random vector ˆP = ˆP 1,..., ˆP L ) {ε,*} L. Defne the projecton functon π : {1,...,L} {0,...,L} such that π) = { 0 f W ˆP) W ˆP) otherwse Intutvely, B wll project denttes at level of the WIBE scheme onto level π) of the HIBE scheme whenever π) 0. Next, the adversary B runs adversary A provdng t as nput for ts frst phase a publc-key mpk W = g 1,g 2,h 1,u 1,0,...,u L,n ), where for all 1 L and 0 j n, the elements u,j are generated as u,j gα,j 1 where α,j Z p f W ˆP), and u,j u π),j otherwse. Defne functons F ID ) = u,0 j ID u,j. Notce that mpk A s dstrbuted exactly as t would be f produced by the setup algorthm descrbed n Secton 5.2. Durng the frst phase, B has to answer all the key dervaton queres ID = ID 1,...,ID l ) that A s allowed to ask. For that, B frst computes the correspondng dentty on the HIBE tree ID = ID W ˆP), whch s the dentty obtaned by removng from ID all components at levels where ˆP contans a wldcard. That s, the dentty ID s obtaned from ID by projectng the component at level of the WIBE onto level π) of the HIBE f π) 0. B then queres ts own key dervaton oracle for the Wa-HIBE scheme on nput ID to get the key d = a 0,...,a πl) ). From ths, t computes the key d = a 0,...,a l ) as a 0 a 0 a W ˆP) F ID ) r { g r 1 f W ˆP) a π) f W ˆP) where r Z p for all W ˆP). At the end of ts frst phase, A outputs the challenge pattern P = P1,...,P l ) and challenge messages m 0,m 1. If WP ) W ˆP) then B aborts. Otherwse, B outputs the correspondng HIBE dentty ID = P WP ) together wth challenge messages m 0,m 1. Let C = C1,C 2,C 3 ) be the challenge cphertext that B receves n return from ts challenger, meanng that C s an encrypton of m b wth respect to the dentty ID, where b s the secret bt chosen at random by the challenger. B sets C 1 C 1, C 2 C 2, C 3 C 3 and C 4 C 1 α,j ) WP ), j=0,...,n and sends to A the cphertext C = P,C 1,C 2,C 3,C 4 ) as the nput for ts second phase. Durng the second phase, A s then allowed to ssue more key dervaton queres, whch are answered by B exactly as n the frst phase. When A outputs a bt b, B outputs b and stops. In order to analyse the success probablty of B, we frst need to show that the smulaton t provdes to A s correct. The secret key d = a 0,...,a l ) returned for dentty ID 1,...,ID l ) can be seen to be 9

12 correctly dstrbuted snce f a = gr 1 a 0 = a 0 = h 2 = h 2 = h 2 = h 2 W ˆP) W ˆP) W ˆP) W ˆP) l =1 for 1 l then F ID ) r F π) ID )r u π),0 j ID W ˆP) u r π),j F ID )r u r,0 j ID u,j) F ID )r W ˆP) W ˆP) F ID ) r F ID )r Moreover, the challenge cphertext C = P,C 1,C 2,C 3,C 4 ) sent to A can be seen to be correctly formed when WP ) = W ˆP) as follows. Consder the cphertext C = C1,C 2,C 3 ) that B receves back from the challenger after outputtng ID,m 0,m 1 ) where ID = P WP ). We know that, for unknown values t Z p and b {0,1}, C1 = gt, C3 = m b êh 1,g 2 ) t and C 2 = C 2, = F ID ) t) =1,...,πl ) = C 2, = F P ) t) WP ). Snce B sets C 1 = C 1, C 2 = C 2 and C 3 = C 3, t follows that C 1, C 2 and C 3 are of the correct form. To show that C4 s correctly formed, notce that u,j = gα,j 1 for ndces WP ) and j = 0,...,n. Thus, C 4,,j = C 1 )α,j = g t α,j 1 = g α,j 1 ) t = u,jt as requred. We also need to argue that B does not query ts key dervaton oracle on any denttes that are consdered llegal n the IND-ID-CPA game when ts guess for WP ) s correct. Illegal denttes are the challenge dentty ID = P WP ) or any ancestors of t,.e. any ID l for l l. Adversary B only makes such queres when A queres ts key dervaton oracle on an dentty ID = ID 1,...,ID l ) such that l l and ID = P for all WP ) l. By our matchng defnton, ths would mean that ID * P, whch s llegal n the IND-WID-CPA game as well. Note that, whenever l > l, we always have that ID > ID snce W ˆP) > l =. To conclude the proof, we notce that the success probablty of B s at least that of A when ts guess for WP ) s correct. Let ǫ be the probablty that A wns the IND-WID-CPA game. Thus, t follows that the overall success probablty of B wnnng the IND-ID-CPA game s at least ǫ ǫ/2 L. Note that the proof above loses a factor of 2 L n the securty reducton. Ths lmts the secure use of the scheme n practce to very small logarthmc) herarchy depths, but ths was already the case for thewa-hibe scheme as well whch loses a factor nq K ) L n ts reducton to the BDDH problem. In addton, we only lose an addtonal factor of L 2 when allowng only patterns wth a sngle sequence of consecutve wldcards, for example ID 1,*,*,*,ID 5 ) or ID 1,*,*). In the selectve-dentty noton, there s no need to guess the challenge pattern, so we do not lose any tghtness wth respect to the Wa-HIBE scheme. 10

13 6 More Effcent Constructons n the Random Oracle Model In ths secton, we present two alternatve schemes based on the Boneh-Boyen [BB04] and Boneh- Boyen-Goh [BBG05] HIBE schemes that perform better n terms of effcency. In partcular, unlke thewa-wibe scheme, ther effcency s ndependent of the bt length n of dentty strngs: addng a wldcard to the recpent pattern only requres two extra exponentatons and two extra group elements n the cphertext, as opposed to n + 1 of these n thewa-wibe scheme. Just lke ther underlyng HIBE schemes however, they can be proved secure only n the weaker selectve-dentty settng. As observed for the case of IBE and HIBE schemes by Boneh, Boyen and Goh [BB04, BBG05], these schemes can be made fully secure n the random oracle model but losng a factor exponental n L n tghtness) by applyng a hash functon to the dentty strngs. We frst present the two alternatve WIBE schemes, and for completeness prove the generc transformaton from selectve-dentty to full securty for the case of WIBE schemes n Secton A Constructon from Boneh-Boyen s HIBE Scheme Our frst constructon n the random oracle model s based on a slght varant of the Boneh-Boyen HIBE scheme [BB04] that we refer to as thebb -HIBE scheme. It s presented n detal and proved secure n Appendx A. TheBB -WIBE scheme that we derve from t works as follows. Setup. The trusted authorty chooses random generators g 1,g 2 from G, a random α Z p and sets h 1 g α 1. Next, t pcks random elements u 1,0,...,u L,0,u 1,1,...,u L,1 from G and sets h 2 g α 2. The master publc key s mpk = g 1,h 1,g 2,u 1,0,...,u L,0,u 1,1,...,u L,1 ). The correspondng master secret key s msk = h 2. Key Dervaton. A user s dentty s gven by a vector ID = ID 1,...,ID l ) where each ID s an element n Z p. To compute the decrypton key for dentty ID from the master secret key, frst one chooses random values r Z p for = 1,...,l, then the prvate key d ID s constructed as a 0,a 1,...,a l ) = h 2 l =1 ) ) r u,0 u ID,1, g r 1 1,..., gr l 1 Notce that, as requred, the secret key for dentty ID = ID 1,...,ID l ) can be computed from the secret key a 0,a 1,...,a l 1 ) of the parent ID 1,...,ID l 1 ) by choosng a random r l Z p and outputtng ) rl ) d ID = a 0 u l,0 u ID l l,1, a 1,..., a l 1, g r l 1 Encrypton. To create a cphertext of message m G T ntended for all denttes matchng pattern P = P 1,...,P l ), where 1 l L, the sender chooses t Z p and outputs the cphertext C = P,C 1,C 2,C 3 ), where C 1 g1 t C 2 C 2, = u,0 u ID,1 ) ) WP) )t C 3 m êh 1,g 2 ) t C 4 C 4,,j = u t,j WP), j=0,1 Decrypton. If the recever s the root authorty.e., the empty dentty ID = ε) holdng the master key msk = h 2, then he can recover the message by computng C 3 /êc 1,h 2 ). Any other recever wth dentty ID = ID 1,...,ID l ) matchng the pattern P to whch the cphertext was created.e., ID * P) can decrypt the cphertext C = P,C 1,C 2,C 3,C 4 ) as follows. Let d ID = a 0,. 11

14 a 1,...,a l ) be the decrypton key for the recever wth dentty ID. He recovers the message by computng { C 2, C 2, f WP) C 4,,0 C ID 4,,1 f WP) l l =1 m C 3 êa, C 2, ). êc 1, a 0 ) In terms of effcency, thebb -WIBE scheme easly outperforms thewa-wibe scheme: the master publc key contans 2L + 3 group elements. Encrypton to a recpent pattern of length l and w wldcards nvolves l + w + 2 mult-)exponentatons and produces cphertexts contanng l + w + 2 group elements, or 2L + 2 of each of these n the worst case that l = w = L. Decrypton requres the computaton of l + 1 parngs, just lke thewa-wibe scheme. TheBB -WIBE scheme can actually be seen as a close relatve to thewa-wibe scheme, wth the functons F ID ) beng defned as F ID ) = u,0 u ID,1. Its securty propertes are dfferent though: thebb -WIBE scheme can be proved secure n the selectve-dentty model only. We reduce ts securty to that of thebb -HIBE scheme, whch on ts turn s proved IND-sID-CPA-secure under the BDDH assumpton n Appendx A. The proof of the theorem below s very analagous to that of Theorem 5.1, and hence omtted. One mportant dfference wth Theorem 5.1 s that the reducton from thebb -HIBE scheme s tght: because we prove securty n the selectve-dentty model, we do not lose a factor 2 L due to havng to guess the challenge pattern upfront. Theorem 6.1 If thebb -HIBE scheme wth herarchy depth L s t,q K,ǫ) IND-sID-CPA-secure, then thebb -WIBE scheme of depth L s t,q K,ǫ ) IND-sWID-CPA-secure for all t t 2L1 + q K ) t exp, q K q K and ǫ ǫ, where t exp s the tme requred to compute an exponentaton n G. 6.2 A Constructon from Boneh-Boyen-Goh s HIBE Scheme In ths secton we descrbe a WIBE scheme wth shorter cphertexts, especally when the recpent pattern contans few wldcards. When encryptng to a pattern of length l wth w wldcards, a cphertext of thebb -WIBE scheme contans l + w + 2 group elements. The HIBE scheme of Boneh-Boyen- Goh [BBG05] offers constant-sze cphertexts.e, ndependent of the level l of the recpent dentty) at the cost of beng secure only under the stronger decsonal L-BDHI assumpton. Based on ths scheme, we buld thebbg -WIBE scheme that offers cphertexts of length w + 3 group elements and s secure under the same decsonal L-BDHI assumpton. The scheme s the followng: Setup. The trusted authorty chooses random generators g 1,g 2,u 0,...,u L from G, a random α Z p and sets h 1 g α and h 2 g α 2. The master publc key s mpk = g 1,g 2,h 1,u 0,...,u L ). The correspondng master secret key s msk = h 2. Key Dervaton. The scheme assumes that a user s dentty s gven by a vector ID = ID 1,..., ID l ) of elements n Z p.1. To compute the decrypton key for dentty ID from the master secret 1 Ths can be easly generalsed to the case on whch the denttes are vectors of n bt strngs by frst hashng each component ID Z p usng a collson resstant hash functon H : {0, 1} Z p 12

15 key, frst a random r Z p s chosen, then the prvate key s constructed as d ID = a 0,a l+1,...,a L,a L+1 ) = l h 2 u 0 =1 u ID ) r, u r l+1,..., ur L, gr 1 The secret key for dentty ID = ID 1,...,ID l ) can be computed from the secret key a 0,a l,..., a L+1 ) of ts parent ID 1,...,ID l 1 ) by choosng a random r Z p and outputtng d ID = a 0 a ID l l l u 0 =1 u ID ) r, a l+1 u r l+1,..., a L u r L, a L+1 g1 r Encrypton. To create a cphertext of message m G T ntended for all denttes matchng pattern P = P 1,...,P l ), where l L, the sender chooses t Z p and outputs the cphertext C = P, C 1,C 2,C 3,C 4 ), where C 1 g t 1 C 3 m êh 1,g 2 ) t C 2 C 4 C 4, = u t ) u 0 WP) up ) t WP). Decrypton. If the recever s the root authorty.e., the empty dentty ID = ε) holdng the master key msk = h 2, then he can recover the message by computng C 3 /êc 1,h 2 ). Any other recever wth dentty ID = ID 1,...,ID l ) matchng the pattern P to whch the cphertext was created.e., ID * P) can decrypt the cphertext C = P,C 1,C 2,C 3,C 4 ) as follows. Let d ID = a 0,..., a L+1 ) be the decrypton key for the recever wth dentty ID. He recovers the message by computng C 2 C 2 m WP) l C P 4, C 3 êc 2,a L+1) êc 1,a 0 ) The fact that decrypton works can be seen as follows. Snce ID * P, we have that P = ID for all WP). We then have that: êc 2,a L+1) êc 1,a 0 ) = = = = ê C 2 ) WP) l C ID 4,, g1 r ê g1 t, h l 2u 0 =1 uid ) r) ê u 0 WP) up ) t WP) ) l u t )ID, g1 r ê g1 t, h 2) ê g1 t, u l 0 =1 uid ) r) ê u l 0 =1 uid ) t ), g1 r êg1 t, h 2) ê g1 t, u l 0 =1 uid ) r) 1 êh 1,g 2 ) t. 13 ) )

16 TheBBG -WIBE scheme s sgnfcantly more effcent than thewa-wibe andbb -WIBE schemes n terms of decrypton, and also offers more effcent encrypton and shorter cphertexts when the recpent pattern contans few wldcards. More precsely, the master publc key contans L + 4 group elements. Encrypton to a recpent pattern of length l wth w wldcards nvolves w + 3 mult- )exponentatons and w + 3 group elements n the cphertext, or L + 3 of these n the worst case that l = w = L. Decrypton requres the computaton of two parngs, as opposed to l + 1 of these for thewa-wibe andbb -WIBE schemes. We prove the securty of thebbg -WIBE scheme n the selectve-dentty model by reducng to the securty of thebbg -HIBE scheme that s recalled n Appendx B, rather than to the underlyng decsonal L-BDHI assumpton drectly. Theorem 6.2 If thebbg -HIBE scheme s t,q K,ǫ) IND-sID-CPA-secure, then thebbg -WIBE scheme presented above s t,q K,ǫ ) IND-sWID-CPA-secure for all t t L1 + 2q K ) t exp, q K q K, and ǫ ǫ, where t exp s the tme t takes to perform an exponentaton n G. Proof: The proof of Theorem 6.2 s almost dentcal to the proof gven for Theorem 5.1. We present t here for completeness. As before we assume that there exst an adversary A that breaks the IND-sWID- CPA-securty of thebbg -WIBE scheme and then we show how to effcently buld another adversary B that, usng A as a black box, manages to break the IND-sID-CPAsecurty of thebbg -HIBE scheme. Algorthm B begns by runnng A to obtan a challenge pattern P = P 1,...,P l ). Defne a projecton functon π : {1,...,L} {0,...,L} where π) = 0 f WP ) = WP ) otherwse. The projecton functon s such that denttes at level WP ) n the WIBE tree wll be mapped onto level π) n the HIBE tree. B outputs ID = P WP ) as ts own challenge dentty and gets a master publc key mpk H = g 1,g 2,h 1,u 0,...,u L ) for thebbg -HIBE scheme n return. It runs adversary A on master publc key mpk W = g 1,g 2,h 1,u 0,u 1,...,u L ), where for all 1 L, the values u are generated as: u g α 1 f W ˆP), where α Z p u π) otherwse. Notce that mpk W s dstrbuted exactly as t would be f produced by the real Setup algorthm of the BBG -WIBE scheme. Durng the frst phase, B has to answer all the key dervaton queres ID = ID 1,...,ID l ) that A s allowed to ask. For that, B queres ts own key dervaton oracle on dentty ID = ID WP ) l to get the key d = a ID 0,a l +1...,a L+1 ) where l = ID. Next, B computes the key d ID = a 0,a l+1,...,a L+1 ) as a 0 a 0 WP ) l a L+1) α ID a a π) { a L+1 ) α f WP ) > l otherwse for = l + 1,...,L a L+1 a L+1. 14

17 When at the end of ts frst phase A outputs challenge messages m 0,m 1, B also ends ts frst phase wth the same messages. Let C = C 1,C 2,C 3 ) be the challenge cphertext that B receves n return from ts challenger, meanng that C s an encrypton of m b wth respect to the dentty ID, where b s the secret bt chosen ) at random by the challenger. B sets C1 C 1, C 2 C 2, C 3 C 3 and C4 C 4, = C 1 )α, and feeds the cphertext C = P,C WP 1,C 2,C 3,C 4 ) to A as the nput ) for ts second phase. Durng the second phase, A s then allowed to ssue more key dervaton queres, whch are answered by B exactly as n the frst phase. When A outputs a bt b, B outputs the same bt b and stops. By arguments smlar to those gven n the proof of Theorem 5.1, one can see that B provdes a perfectly smulated envronment for A and that B does not query for the key of the challenge dentty ID or any of ts parents. Hence, B wns the game whenever A does. The runnng tme of B s that of A plus the tme needed for at most 2L exponentatons for each key dervaton query and at most L exponentatons to compute the challenge cphertext. 6.3 From Selectve-Identty to Full Securty As observed by Boneh-Boyen [BB04] for the case of IBE schemes and by Boneh-Boyen-Goh [BBG05] for the case of HIBE schemes, any HIBE schemehibe that s selectve-dentty secure can be transformed nto a HIBE schemehibe that s IND-sID-CPA-secure n the random oracle model. The transformaton only works for small herarchy depths though, snce the proof loses a factor Oq L H ) n reducton tghtness. We show here that the same transformaton works for the case of WIBE schemes at the cost of a factor q H + 1) L n reducton tghtness. LetWIBE be a WIBE scheme wth maxmum herarchy depth L. The dea of the transformaton s to replace every pattern or dentty) P = P 1,...,P l ) at key dervaton or encrypton wth the pattern P = P 1,...,P l ) where P { H P ) f P * * otherwse, where H, 1 L are ndependent random oracles mappng arbtrary bt strngs nto an approprate rangeid correspondng to the dentty space ofwibe. These L ndependent random oracles are easly constructed from a sngle random oracle H ), e.g. by settng H ) = H ).) We refer to the scheme thus obtaned aswibe H and prove the followng statement about ts securty. Theorem 6.3 IfWIBE s a t,q K,ǫ) IND-sWID-CPA-secure WIBE scheme of depth L, then the WIBE H scheme descrbed above s t,q K,q H,ǫ ) IND-ID-CPA-secure n the random oracle model for all t t, q K q K and ǫ L + 1)q H + 1)L ǫ. Proof: Assume there s an adversary A breakng the full securty of thewibe H scheme, we present an adversary B that uses A as a black box and breaks the selectve-id securty of the underlyng WIBE scheme. In a prelmnary phase, B guesses ˆl {0,...,L} and ctr ˆ {0,...,q H } for all 1 ˆl. It then chooses a pattern ˆP = ˆP 1,..., ˆPˆl) by settng ˆP * f ctr ˆ = 0 and choosng ˆP ID otherwse. B outputs ˆP as ts challenge pattern, and gets publc key mpk n return. It runs A on the same publc key mpk and responds to ts oracle queres as follows: 15

18 H ID ): B keeps ntally empty assocatve arrays T [ ] and counters ctr that are ntalzed to zero for 1 L. If T [ID ] s undefned, B ncreases ctr. If ctr = ctr ˆ, t sets T [ID ] ˆP ; otherwse, t chooses T [ID ] ID. B returns T [ID ] as the random oracle response to A. KeyDerID = ID 1,...,ID l )): B smulates addtonal random oracle queres ID H ID ) for 1 l and lets ID = ID 1,...,ID l ). If ID * ˆP then B aborts. Otherwse, t queres ID from ts own key dervaton oracle and forwards the resultng key to A. Eventually, A outputs ts challenge pattern P = P1,...,P l ) and challenge messages m 0,m 1. B performs addtonal random oracle queres H P ) for all WP ). If l ˆl, WP ) W ˆP) or HP ) ˆP for some WP ), then B aborts. Otherwse, t submts m 0,m 1 as ts own challenge messages and forwards the challenge cphertext C that t gets n return to A. Durng the second phase, B responds to A s oracle queres exactly as durng the frst phase. When A outputs a bt b, B outputs the same bt b. It s easy to see that B s smulaton of A s envronment s perfect as long as t doesn t abort and that B wns the game whenever A does. The probablty that B does not abort n the fnal stage of the game s at least 1/L + 1)q H + 1) L due to the random guesses of ˆl from {0,...,L} and of ctr ˆ from {0,...,q H }. Therefore B s advantage n wnnng the game s at least ǫ ǫ L + 1)q H + 1)L, from whch the theorem follows. 7 Chosen-Cphertext Securty In ths secton, for completeness, and to avod makng any unsubstantated clams, we present an adaptaton of the result of Canett-Halev-Katz [CHK04] to obtan chosen-cphertext securty for WIBE schemes. We show that we may use a IND-WID-CPA-secure WIBE of depth 2L + 2 and a strongly unforgeable sgnature scheme SgGen, Sgn, Verfy) to construct an IND-WID-CCA-secure WIBE of depth L. Defnton 7.1 A sgnature scheme s a trple of algorthms SgGen,Sgn,Verfy) where SgGen takes no nput except for an mplct securty parameter) and outputs a sgnng key sk and a verfcaton key vk; Sgn takes as nput a sgnng key sk and a message m {0,1} and outputs a sgnature σ {0,1} ; and Verfy takes as nput a verfcaton key vk, a message m {0,1} and a sgnature σ {0,1} and outputs ether vald or nvald. For correctness we requre that for all sk,vk) SgGen, for all m {0,1} and σ Sgnsk,m), we have that Verfyvk, m, σ) = vald wth probablty one. Defnton 7.2 A sgnature scheme SgGen, Sgn, Verfy) s t, ǫ) strongly one-tme secure, f no probablstc adversary A runnng n tme at most t wns the followng game wth probablty more than ǫ: 16

19 1. The challenger generates a key par sk,vk ) SgGen. 2. The attacker executes A on nput vk untl t outputs a message m. 3. The challenger computes σ Sgnsk,m ) and returns σ to A. A termnates by outputtng a par m,σ). The attacker wns the game f Verfyvk,m,σ) = vald and m,σ) m,σ ). We wll also make lberal use of an encodng functon Encode. For a WIBE scheme wth dentty spaceid L, ths functon wll have dfferent actons dependng on ts nput. We assume thatid contans at least two dfferent elements; for smplcty we assume that {0,1} ID. For any dentty ID = ID 1,...,ID l ) ID L, we defne EncodeID) = 0,ID 1,...,0,ID l ). We wll also use ths encodng functon wth two arguments to denote EncodeID,vk) = 0,ID 1,...,0,ID k,1,vk). Gven a WIBE schemewibe = Setup,KeyDer,Enc,Dec) of depth 2L + 2 wth dentty spaceid L, consder the followng WIBE schemewibe = Setup,KeyDer,Enc,Dec ) of depth L. Key Dervaton. The secret key of dentty ID = ID 1,...,ID l ) underwibe s the secret key correspondng to dentty EncodeID) = 0,ID 1,...,0,ID l ) underwibe. Encrypton. To encrypt a message m under a pattern P and usng a master publc key mpk, the followng steps are performed: Frst, we generate a sgnature key par sk,vk) SgGen. Then we compute C Encmpk,EncodeP,vk),m) and σ Sgnsk,C). The fnal cphertext s the tuple vk,c,σ). Decrypton. To decrypt a cphertext vk,c,σ) usng a prvate key d ID for an dentty ID, frst check that Verfyvk,C,σ) = vald. If not, output. Otherwse, compute d = KeyDerd ID,1,vk)) and output Decd,C). Note that n ths case d s the decrypton for the dentty EncodeID,vk) nwibe. Theorem 7.3 IfWIBE s t,q K,ǫ) IND-WID-CPA-secure and SgGen,Sgn,Verfy) s t s,ǫ s ) strongly one-tme secure, thenwibe s t,q K,q D,ǫ ) IND-WID-CCA-secure for all t mnt,t s ) q K t KeyDer q D t KeyDer + t Verfy + t Dec ) q K q K q D ǫ ǫ + ǫ s where t KeyDer, t Dec and t Verfy are the runnng tmes of the KeyDer, Dec and Verfy algorthms, respectvely. Proof: The proof closely follows that of [CHK04]. Let A be an IND-WID-CCA adversary aganst thewibe scheme. Suppose P s the challenge pattern that A chooses and vk,c,σ ) s the challenge cphertext that A receves durng an executon of the attack game. Let Forge be the event that at some pont durng ts executon A queres the decrypton oracle on an dentty ID * P and a cphertext of the form vk,c,σ) such that Verfyvk,C,σ) = vald. Then we have that A s advantage s Pr[A wns ] 1/2 Pr[Forge] + Pr [ A wns : Forge ] 1/2. 1) 17

20 Clam 1 Pr [Forge ] ǫ s. Clam 2 Pr[ A wns : Forge ] 1/2 ǫ. Proof of Clam 1: We prove the frst clam by demonstratng an attacker B that breaks the one-tme securty of the sgnature scheme whenever the event Forge occurs. In the frst phase, B receves a verfcaton key vk from the challenger. It generates mpk,msk) Setup and executes A on nput mpk, respondng to ts key dervaton and decrypton queres usng the real KeyDer and Dec algorthms, whch t can do because t knows msk. It keeps a lst of A s decrypton queres ID,vk,C,σ)) for later reference. When A outputs challenge pattern P and challenge messages m 0,m 1, B chooses a random bt b {0,1}, computes C Encmpk,EncodeP,vk ),m b ) and requests a sgnature σ on message C from ts own challenger. Algorthm B then runs A on nput vk,c,σ ) untl t halts, respondng to A s oracle queres as before. At the end of A s executon, B checks whether the lst of A s decrypton queres contans an entry ID,vk,C,σ)) such that ID * P, vk = vk and Verfyvk,C,σ) = vald, or n other words, checks whether the event Forge occurred. Note that n ths case C,σ) C,σ ) because A s not allowed to query the decrypton oracle on the challenge cphertext wth an dentty ID * P. B outputs C,σ ) as ts forgery and wns the game. The runnng tme of B s that of A plus the tme needed for q K + q D applcatons of the KeyDer algorthm, q K applcatons of the Verfy algorthm and q K applcatons of the Dec algorthm. Proof of Clam 2: To prove the second clam, we show that there exsts an IND-WID-CPA attacker C aganstwibe that uses A as a subroutne and that has advantage ǫ of wnnng the game whenever the event Forge does not occur. Algorthm C, on nput a master publc key mpk, runs A on nput mpk, answerng ts oracle queres as follows: If A queres the key extracton oracle on the dentty ID, then C queres ts key extracton oracle on the dentty EncodeID) and returns the resultng key to A. If A queres the decrypton oracle on the dentty ID and cphertext vk,c,σ), then C checks that Verfyvk,C,σ) = vald. If not, then C returns to A. If the sgnature s vald, C queres ts key extracton oracle on the dentty EncodeID,vk) to receve the decrypton key d and returns the output of Decd,C) to A. When A outputs challenge pattern P and challenge messages m 0,m 1, C generates a fresh key par sk,vk ) SgGen and outputs EncodeP,vk ) and m 0,m 1 as ts own challenge pattern and messages. In return, t gets a challenge cphertext C from ts challenger. C computes σ Sgnsk,C ) and feeds vk,c,σ ) to A, answerng ts oracle queres exactly as before. When A outputs a bt b, C outputs the same bt b. It s not hard to see that C s smulaton of A s envronment s perfect and that C wns the game whenever A does as long as C does not make any llegal key dervaton queres. We have left to argue why the latter fact s true. Frst consder the queres that C makes to respond to A s key dervaton query ID. Let ID = EncodeID) and let P = EncodeP,vk ). If ID > P then ID can never match P. If ID = P then stll ID * P because ID and P are dfferent on the next to last level ID contans a zero there, whle P contans a one). If ID < P then the only way to have ID * P s f also ID * P, whch are llegal queres n A s game as well. 18

21 Second, consder the key dervaton queres that C makes n order to respond to A s decrypton queres. If A makes decrypton query ID,vk,C,σ)), then C makes a key dervaton query for ID = EncodeID,vk). Let P = EncodeP,vk ). If vk vk then defntely ID * P : ether ID has a zero where P has a one, or they dffer on the last level. So let s focus on the case that vk = vk. If ID > P then ID can never match P. If ID < P then the next to last level of ID contans a one whle P contans a zero there, so also n that case ID * P. If ID = P, then the only way to have ID * P s f also ID * P, but ths case s excluded by the event Forge. The runnng tme of C s that of A plus the tme needed to compute q D applcatons of the Verfy and Dec algorthms and one applcaton of the Sgn algorthm. It also performs q K = q K + q D queres to ts key dervaton oracle. The bound on ǫ n the statement of Theorem 7.3 follows drectly from Equaton 1) and the two clams above. The bound on the number of key dervaton queres q K s due to the proof of Clam 2 above. For the bound on t we have to take nto account the runnng tmes of both algorthms B and C n the proofs of Clams 1 and 2. From the proof of Clam 1 we have that t t 1 = t q K + q D) t KeyDer q D t Verfy q D t Dec and from the proof of Clam 2 we have that t t 2 = t s q D t Verfy q D t Dec. To smultaneously satsfy both equatons, we need to upper-bound t by mnt 1,t 2 ) mnt,t s ) q K t KeyDer q D t KeyDer + t Verfy + t Dec ), where we use that mnx z,y z) mnx,y) z and mnx w,y z) mnx,y) w z. One may wonder why we requre a 2L+2)-level IND-WID-CPA-secure WIBE n order to construct an L-level IND-WID-CCA-secure WIBE when the orgnal result of Canett-Halev-Katz [CHK04] only requred an L+1)-level IND-ID-CPA-secure HIBE to construct an L-level IND-ID-CCA-secure HIBE. The constructon of [CHK04] encodes every dentty strng ID as 0 ID and every verfcaton key vk as 1 vk. For a HIBE, the dfferent form of the two types of bnary strng means that when we use the key extracton oracle to decrypt a cphertext, we never query the key extracton oracle on an ancestor of the challenge dentty. However, f we try and use the same trck to construct a chosen-cphertext secure WIBE, then t s possble that we wll query the key extracton oracle on an dentty that matches the challenge pattern because both 0 ID and 1 vk match the pattern strng *. Hence, we are forced to place the sngle bts that dentfy whether the followng bnary strng s an dentty or a verfcaton key nto ther own levels on the WIBE. Applyng the transformaton towa-wibe. If we apply the above transformaton to the IND- WID-CPA-secure)Wa-WIBE scheme descrbed n Secton 5 and prove the securty of the scheme drectly, rather than by applyng Theorems 5.1 and 7.3, then we may acheve some small effcency gans. In partcular, f we wsh to construct an L-level CCA-secure WIBE scheme, then a nave applcaton of the theorems suggests that we have to start from a 2L + 2)-levelWa-WIBE scheme, meanng that the publc parameters for the WIBE consst of 2L + 2)n + 1) + 3 group elements, and that we lose a factor of 2 2L+2 n the securty reducton from thewa-wibe to thewa-hibe scheme. However, f we look at the proof technques used n the theorems, then we can make some effcency gans. In partcular, 19

22 L + 1 levels of the WIBE are only used to encode ether a zero or a one. Ths means that the publc parameters do not requre the n + 1 group elements requred to represent an n-bt dentty at those levels; they only requre the two group elements that are requred to encode a sngle-bt dentty. Hence, the publc parameters only requre L + 1)n + 3) + 3 group elements. the reducton from the CPA-secure WIBE to the CPA-secure HIBE loses a factor of 2 2L+2 because we need to guess the postons of the wldcards n the challenge dentty. However, n ths constructon, the wldcards can only occur at L dfferent postons, nstead of all 2L + 2 postons. Hence, we actually only lose a factor of 2 L n ths reducton. Unfortunately, we stll do requre a 2L + 2)-level nstantaton of the W a-w IB E scheme. Ths mples an mportant securty loss because the proof of securty for thewa-hibe loses a factor of Onq K ) 2L+2 ) n the reducton to the BDDH assumpton. Acknowledgments We would lke to thank James Brkett, Jacob Schuldt, Brent Waters and the anonymous referees of ICALP 2006 for ther valuable nput. We also thank Mhr Bellare for pontng out the relaton between WIBE and fuzzy dentty-based encrypton. Ths work was supported n part by the European Commsson through the IST Programme under Contract IST ECRYPT. The nformaton n ths document reflects only the author s vews, s provded as s and no guarantee or warranty s gven that the nformaton s ft for any partcular purpose. The user thereof uses the nformaton at ts sole rsk and lablty. The frst two authors were supported n part by France Telecom R&D as part of the contract CIDRE, between France Telecom R&D and École normale supéreure. The ffth author s a Postdoctoral Fellow of the Research Foundaton Flanders FWO-Vlaanderen), and was supported n part by the Concerted Research Acton GOA) Amborcs 2005/11 of the Flemsh Government. References [ACD + 06] Mchel Abdalla, Daro Catalano, Alex Dent, John Malone-Lee, Gregory Neven, and Ngel Smart. Identty-based encrypton gone wld. In Mchele Bugles, Bart Preneel, Vladmro Sassone, and Ingo Wegener, edtors, ICALP 2006: 33rd Internatonal Colloquum on Automata, Languages and Programmng, Part II, volume 4052 of Lecture Notes n Computer Scence, pages Sprnger-Verlag, Berln, Germany, July 9 16, Cted on page.) [BB04] Dan Boneh and Xaver Boyen. Effcent selectve-id secure dentty based encrypton wthout random oracles. In Chrstan Cachn and Jan Camensch, edtors, Advances n Cryptology EUROCRYPT 2004, volume 3027 of Lecture Notes n Computer Scence, pages , Interlaken, Swtzerland, May 2 6, Sprnger-Verlag, Berln, Germany. [BBG05] [BF03] [BR93] Cted on pages 2, 3, 4, 6, 11, 15, 22 and 23.) Dan Boneh, Xaver Boyen, and Eu-Jn Goh. Herarchcal dentty based encrypton wth constant sze cphertext. In Ronald Cramer, edtor, Advances n Cryptology EURO- CRYPT 2005, volume 3494 of Lecture Notes n Computer Scence, pages , Aarhus, Denmark, May 22 26, Sprnger-Verlag, Berln, Germany. Cted on pages 2, 6, 11, 12, 15, 24 and 25.) Dan Boneh and Matthew K. Frankln. Identty based encrypton from the Wel parng. SIAM Journal on Computng, 323): , Cted on pages 1 and 4.) Mhr Bellare and Phllp Rogaway. Random oracles are practcal: A paradgm for desgnng effcent protocols. In ACM CCS 93: 1st Conference on Computer and Communcatons 20

23 [BR94] [CHK04] Securty, pages 62 73, Farfax, Vrgna, USA, November 3 5, ACM Press. Cted on page 2.) Mhr Bellare and Phllp Rogaway. Entty authentcaton and key dstrbuton. In Douglas R. Stnson, edtor, Advances n Cryptology CRYPTO 93, volume 773 of Lecture Notes n Computer Scence, pages , Santa Barbara, CA, USA, August 22 26, Sprnger-Verlag, Berln, Germany. Cted on page 4.) Ran Canett, Sha Halev, and Jonathan Katz. Chosen-cphertext securty from denttybased encrypton. In Chrstan Cachn and Jan Camensch, edtors, Advances n Cryptology EUROCRYPT 2004, volume 3027 of Lecture Notes n Computer Scence, pages , Interlaken, Swtzerland, May 2 6, Sprnger-Verlag, Berln, Germany. Cted on pages 2, 16, 17 and 19.) [Coc01] Clfford Cocks. An dentty based encrypton scheme based on quadratc resdues. In Bahram Honary, edtor, Cryptography and Codng, 8th IMA Internatonal Conference, volume 2260 of Lecture Notes n Computer Scence, pages , Crencester, UK, December 17 19, Sprnger-Verlag, Berln, Germany. Cted on page 1.) [CS06] Sanjt Chatterjee and Palash Sarkar. Tradng tme for space: Towards an effcent IBE scheme wth shorter) publc parameters n the standard model. In Dongho Won and Seungjoo Km, edtors, Informaton Securty and Cryptology ICISC 2005, volume 3935 of Lecture Notes n Computer Scence, pages Sprnger-Verlag, Berln, Germany, Cted on page 8.) [GS02] Crag Gentry and Alce Slverberg. Herarchcal ID-based cryptography. In Yulang Zheng, edtor, Advances n Cryptology ASIACRYPT 2002, volume 2501 of Lecture Notes n Computer Scence, pages , Queenstown, New Zealand, December 1 5, Sprnger- Verlag, Berln, Germany. Cted on page 1.) [HL02] Jeremy Horwtz and Ben Lynn. Toward herarchcal dentty-based encrypton. In Lars R. Knudsen, edtor, Advances n Cryptology EUROCRYPT 2002, volume 2332 of Lecture Notes n Computer Scence, pages , Amsterdam, The Netherlands, Aprl 28 May 2, Sprnger-Verlag, Berln, Germany. Cted on page 1.) [MSK02] Shgeo Mtsunar, Ryuch Saka, and Masao Kasahara. A new trator tracng. IEICE Transactons, E85-A2): , February Cted on pages 2 and 3.) [Nac05] Davd Naccache. Secure and practcal dentty-based encrypton. Cryptology eprnt Archve, Report 2005/369, Cted on page 8.) [Sha85] Ad Shamr. Identty-based cryptosystems and sgnature schemes. In G. R. Blakley and Davd Chaum, edtors, Advances n Cryptology CRYPTO 84, volume 196 of Lecture Notes n Computer Scence, pages 47 53, Santa Barbara, CA, USA, August 19 23, Sprnger-Verlag, Berln, Germany. Cted on page 1.) [SOK00] Ryuch Saka, Kyosh Ohgsh, and Masao Kasahara. Cryptosystems based on parng. In SCIS 2000, Oknawa, Japan, January Cted on page 1.) [SW05] Amt Saha and Brent R. Waters. Fuzzy dentty-based encrypton. In Ronald Cramer, edtor, Advances n Cryptology EUROCRYPT 2005, volume 3494 of Lecture Notes n Computer Scence, pages , Aarhus, Denmark, May 22 26, Sprnger-Verlag, Berln, Germany. Cted on page 6.) [Wat05] Brent R. Waters. Effcent dentty-based encrypton wthout random oracles. In Ronald Cramer, edtor, Advances n Cryptology EUROCRYPT 2005, volume 3494 of Lecture Notes n Computer Scence, pages , Aarhus, Denmark, May 22 26, Sprnger- Verlag, Berln, Germany. Cted on pages 2, 6, 7 and 8.) 21

24 A The BB -H IBE Scheme In ths secton, we present a varant of the HIBE scheme by Boneh and Boyen n Eurocrypt 2004 [BB04]. Setup. The trusted authorty chooses random generators g 1,g 2 from G, a random α Z p and sets h 1 g α 1. Next, t pcks random elements u 1,0,...,u L,0,u 1,1,...,u L,1 from G and sets h 2 g α 2. The master publc key s mpk = g 1,h 1,g 2,u 1,0,...,u L,0,u 1,1,...,u L,1 ). The correspondng master secret key s msk = h 2. Key Dervaton. A user s dentty s gven by a vector ID = ID 1,...,ID l ) where each ID s an element n Z p. To compute the decrypton key for dentty ID from the master secret key, frst one chooses random values r Z p for = 1,...,l, then the prvate key d ID s constructed as l ) ) r a 0,a 1,...,a l ) = h 2 u,0 u ID,1, g r 1 1,..., gr l 1. =1 Notce that, as requred, the secret key for dentty ID = ID 1,...,ID l ) can be computed from the secret key a 0,a 1,...,a l 1 ) of the parent ID 1,...,ID l 1 ) by choosng a random r l Z p and outputtng ) rl ) d ID = a 0 u l,0 u ID l l,1, a 1,..., a l 1, g r l 1 Encrypton. To encrypt a message m G T for an dentty ID = ID 1,...,ID l ), the sender frst chooses t Z p and outputs the cphertext C = C 1,C 2,C 3 ), where ) C 1 = g1 t C 2 = C 2, = u,0 u ID,1 )t C 3 = m êh 1,g 2 ) t =1,...,l Decrypton. If the recever s the root authorty holdng the master key msk, then he can recover the message by computng C 3 /êc 1,msk). Any other recever wth dentty ID = ID 1,...,ID l ) and decrypton key d ID = a 0,a 1,...,a l ) decrypts a cphertext C = C 1,C 2, ) =1,...,l,C 3 ) by computng l =1 m C 3 êa,c ). êc 1,a 0 ) The fact that decrypton works can be seen as follows. l =1 êa, C ) êc 1, a 0 ) = = = l =1 ê g r 1, u,0 u ID,1 )t) ê g1 t, h l 2 =1 u,0 u ID,1 )r l =1 ê g1 t, u,0 u ID ),1 )r êg1 t, h 2) ê g1 t, l =1 u,0 u ID ),1 )r 1 êg 1,h 2 ) t = 1 êh 1,g 2 ) t ) The man dfference between the orgnal HIBE scheme of [BB04] and our varant above s that our scheme uses a dfferent value u,1 for each level, whle the orgnal scheme uses the same value u 1 for all levels. Addng wldcard functonalty to the orgnal scheme would requre us to nclude u t 1 n the cphertext, but ths runs securty as t can be used to change the recpent dentty for non-wldcard levels as well. 22

25 Theorem A.1 If the t,ǫ) BDDH assumpton holds n G, then thebb -HIBE scheme wth herarchy depth L s t,q K,ǫ) IND-sID-CPA-secure, where t = t ΘL q K t exp ) and t exp s the maxmum tme for an exponentaton n G. Proof: The present proof follows very closely the proof of securty for the orgnal scheme n [BB04]. As before, we assume that there exst an adversary A that breaks the IND-sID-CPA-securty of the HIBE schemebb -HIBE and then we show how to effcently buld another adversary B that, usng A as a black box, manages to solve the BDDH problem n G. Algorthm B frst receves as nput a random tuple g,a = g a,b = g b,c = g c,z) and ts goal s to determne whether Z = êg,g) abc or êg,g) z for a random element z n Z p. Algorthm B should output 1 f Z = êg,g) abc and 0, otherwse. Algorthm B works as follows. Intalsaton. Algorthm B starts nteractng wth A n the IND-sID-CPA game. Let ID = ID 1,...,ID l ), where 0 l L be the challenge dentty outputted by A. If necessary, B appends random elements n Z p to ID so that ID s a vector of length L. Setup. To generate the systems parameters, B frst sets g 1 g, h 1 A, and g 2 B. Algorthm B then chooses α 1,0,...,α L,0,α 1,1,...,α L,1 Z p at random and sets u,0 g α,0 1 h ID α,1 1 and u,1 h α,1 1 for = 1,...,L. Next, B gves to A as the master publc key the value mpk g 1, h 1,g 2,u 1,0,...,u L,0,u 1,1,...,u L,1 ). Note that the correspondng master secret key msk = g2 a s unknown to B. Key Dervaton queres. Durng the phases of ts attack aganst the IND-sID-CPA-securty of BB -HIBE, A can query up to q K queres to ts key dervaton oracle. Let ID = ID 1,...,ID l ), where ID Z p and l L, be one such query. Thus, ID cannot be a prefx of ID. Let j be the smallest ndex such that ID j ID j. It follows necessarly that 1 j l. To reply to ths query, B frst computes the key for dentty ID j = ID 1,...,ID j ) and then derve the key for ID as n the key dervaton algorthm. To derve the key for dentty ID j, B chooses the values r 1,...,r j Z p at random and sets d ID j = a 0,a 1,...,a j ) = g 2 α j,0 α j,1 ID j ID j ) j =1 ) u,0 u ID ) r,1, g r 1 1 1,..., gr j 1 α 1, g j,1 ID j ID j ) 2 g r j 1. To see why a 0,a 1,...,a j ) s a vald random prvate key for dentty ID j, let r j = r j b α j,1 ID j ID j ) mod p. Then, we have that g 2 αj,0 α j,1 ID j ID j ) u j,0 u ID j j,1 )r j = g 2 αj,0 α = g j,1 ID j ID 2 j ) g α j,0 1 h α j,1id j ID j ) = h b 1 u j,0 u ID j j,1 ) r j = g a 2 u j,0 u ID j j,1 ) r j From the above, t follows that. α j,0 α j,1 ID j ID j ) u j,0 u ID j 1 ) j,1 ) r j+ b α j,1 ID j ID j ) u j,0 u ID j b α j,1 ID j ID j ) j,1 ) r j j 1 a 0 = g2 a u j,0 u ID j j,1 ) r j u,0 u ID,1 )r, a 1 = g r 1 1,...,a j 1 = g r j 1 1, a j = g r j =1 23 1,

26 where r 1,...,r j 1, r j are unformly dstrbuted over Z p. From a 0,a 1,...,a j ), algorthm B can derve the key for ID as n the key dervaton algorthm. Challenge. Let m 0,m 1 ) be the par of messages that A outputs at the end of the frst phase of the IND-sID-CPA game. Algorthm B then chooses a random bt b {0,1} and sends C = C, m b Z, Cα 1,0,...,C α l,0) to A as the challenge cphertext. Snce u,0 u ID,1 = g α,0 1 for all, we have that C = g c 1, m b Z, u 1,0 u ID 1,1 )c,...,u l,0 u ID l l,1 )c ). As a result, when Z = êg,g) abc = êh 1,g 2 ) c, C s a vald encrypton of message m b for the challenge dentty ID = ID 1,...,ID l ). On the other hand, when Z = êg,g)z for a random value z Z p, then the challenge cphertext s ndependent of b from the vew pont of the adversary. Guess. Let b be the output of A at the end of the second phase of the IND-sID-CPA game. If b = b, then algorthm B outputs 1, guessng that Z = êg,g) abc. Otherwse, B outputs 0. Clearly, when Z = êg,g) abc, the vew of A s dentcal to ts vew n a real attack and, thus, the probablty that b = b s exactly the probablty that A wns the IND-sID-CPA game. On the other hand, when Z s a random group element n G T, then the probablty that b = b s exactly 1/2. From the above, the result announced n Theorem A.1 follows mmedately. B The BBG -H IBE Scheme In ths secton we present the HIBE scheme due to Boneh, Boyen and Goh [BBG05], referred to as thebbg -HIBE scheme here. The Setup and KeyDer algorthms are exactly as n thebbg -WIBE scheme presented n Secton 6.2. Encrypton and decrypton work as follows. Encrypton. To encrypt a message m G T for an dentty ID = ID 1,...,ID l ), the sender frst chooses t Z p and outputs the cphertext C = C 1,C 2,C 3 ) G G G T, where C 1 g1 t, l u 0 C 2 =1 u ID ) t, C 3 m êh 1,g 2 ) t. Decrypton. If the recever s the root authorty holdng the master key msk = h 2, then he can recover the message by computng C 3 /êc 1,h 2 ). Any other recever wth dentty ID = ID 1,...,ID l ) and decrypton key d ID = a 0,a l+1,,...,a L+1 ) decrypts a cphertext C = C 1,C 2,C 3 ) as follows. m C 3 êc 2,a L+1 ) êc 1,a 0 ) = C 3 = m. ê u l ) 0 =1 uid rt,g 1 êg 1,h 2 ) t ê g 1,u l 0 =1 uid 24 ) rt

27 The followng theorem about the securty of the scheme was proved n the full verson of) [BBG05]. Theorem B.1 If the t,ǫ) decsonal L-BDHI assumpton holds n G, then thebbg -HIBE scheme wth herarchy depth L s t,q K,ǫ ) IND-sID-CPA-secure for arbtrary q K and for all where t exp s the tme for an exponentaton n G. t t OLq K t exp ) and ǫ ǫ, 25