Skip to main content

Don’t Tamper with Dual System Encryption

Beyond Polynomial Related-Key Security of IBE

  • Conference paper
  • First Online:
Applied Cryptography and Network Security (ACNS 2022)

Abstract

In related-key attacks (RKA), an attacker modifies a secret key stored in a device by tampering or fault injection and observes the evaluation output of the cryptographic algorithm based on this related key. In this work, we show that the dual system encryption methodology of Waters (Crypto 2009) fits well with RKA security. We apply simple modifications to a regularly-secure identity-based encryption (IBE) scheme (TCC 2010) constructed through dual system to achieve RKA security for rational functions, which is beyond the polynomial barrier of Bellare et al. ’s framework (Asiacrypt 2012). We achieve security by pushing the complexity of RKA directly down to the underlying intractability assumption. We also discuss how to extend it to a hierarchical IBE scheme that remains secure against RKA over identity-based secret keys beyond the master secret, albeit under some structural constraints.

Sherman S. M. Chow is supported by General Research Fund (CUHK 14209918) from Research Grant Council, and CUHK Project Impact Enhancement Fund (3133292). The authors would like to thank S. M. Yiu for his early support and comments.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
$34.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Similar content being viewed by others

Notes

  1. 1.

    Fujisaki and Xagawa [19] provided a counterexample refuting the security proof of Qin et al.  [26] for their RKA-secure IBE scheme in the split-state model (i.e., tampering can only be applied to the two parts of the encoded secret state independently).

  2. 2.

    In the most optimistic case, our construction might turn out to remain secure against an even broader class of RKA attacks, but just no one has explicitly analyzed the hardness of the corresponding version of the assumption so far.

  3. 3.

    Special restrictions may also apply to existing schemes. For example, Goyal et al.  [20] proposed selectively secure \(\varPhi \)-RKA secure signatures, where \(\varPhi \) are the set of polynomials which are distinct even “ignoring the constant term” (i.e., the difference between any two polynomials should not just be in the constant term).

  4. 4.

    Obviously, static assumptions are weaker than non-static counterparts.

  5. 5.

    This belongs to q-type assumptions, commonly known for more than a decade.

  6. 6.

    A random variable expressed in this way has degree t if the maximum degree of any variable is t [22].

  7. 7.

    The case that \(\mathsf {ID}^* \ne \mathsf {ID}_\ell \) and \(\mathsf {ID}^* = \mathsf {ID}_\ell \bmod p_2\) is eliminated by Game\(_{ res }\).

  8. 8.

    The case that \(\phi _\ell (\alpha ) \ne \alpha \) and \(\phi _\ell (\alpha ) = \alpha \bmod p_2\) can be eliminated by an extra game similar to Game\(_{ res }\) considering \(a + c \cdot \alpha \) modulo \(p_2\). We omit the repetitive details.

  9. 9.

    The case that \(\mathsf {id}^*_i \ne \mathsf {id}_i\) and \(\mathsf {id}^*_i = \mathsf {id}_i \bmod p_2\) is eliminated by Game\(_{ res }\).

  10. 10.

    The case that \(\phi _\ell (\alpha ) \ne \alpha \) and \(\phi _\ell (\alpha ) = \alpha \bmod p_2\) can be eliminated by an extra game similar to Game\(_{ res }\) considering \(a + c \cdot \alpha \) modulo \(p_2\). We omit the repetitive details.

References

  1. Abdalla, M., Benhamouda, F., Passelègue, A.: Algebraic XOR-RKA-secure pseudorandom functions from post-zeroizing multilinear maps. In: Galbraith, S.D., Moriai, S. (eds.) ASIACRYPT 2019. LNCS, vol. 11922, pp. 386–412. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-34621-8_14

  2. Bellare, M., Cash, D., Miller, R.: Cryptography secure against related-key attacks and tampering. In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 486–503. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0_26

    Chapter  Google Scholar 

  3. Bellare, M., Paterson, K.G., Thomson, S.: RKA security beyond the linear barrier: IBE, encryption and signatures. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 331–348. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34961-4_21

    Chapter  Google Scholar 

  4. Biham, E.: New types of cryptanalytic attacks using related keys. J. Cryptol. 7(4), 229–246 (1994)

    Article  MathSciNet  MATH  Google Scholar 

  5. Biryukov, A., Khovratovich, D., Nikolić, I.: Distinguisher and related-key attack on the full AES-256. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 231–249. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_14

    Chapter  Google Scholar 

  6. Boneh, D., Boyen, X.: Efficient selective-ID secure identity-based encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004). https://doi.org/10.1007/978-3-540-24676-3_14

    Chapter  Google Scholar 

  7. Boneh, D., Boyen, X., Goh, E.-J.: Hierarchical identity based encryption with constant size ciphertext. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 440–456. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_26

    Chapter  Google Scholar 

  8. Boneh, D., Canetti, R., Halevi, S., Katz, J.: Chosen-ciphertext security from identity-based encryption. SIAM J. Comput. 36(5), 1301–1328 (2007)

    Article  MathSciNet  MATH  Google Scholar 

  9. Boyen, X.: General ad hoc encryption from exponent inversion IBE. In: Naor, M. (ed.) EUROCRYPT 2007. LNCS, vol. 4515, pp. 394–411. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-72540-4_23

    Chapter  Google Scholar 

  10. Boyen, X.: The uber-assumption family. In: Galbraith, S.D., Paterson, K.G. (eds.) Pairing 2008. LNCS, vol. 5209, pp. 39–56. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-85538-5_3

    Chapter  Google Scholar 

  11. Chen, Y., Qin, B., Zhang, J., Deng, Y., Chow, S.S.M.: Non-malleable functions and their applications. J. Cryptol. 35(11), 1–41 (2022)

    MathSciNet  MATH  Google Scholar 

  12. Chow, S.S.M.: Removing escrow from identity-based encryption. In: Jarecki, S., Tsudik, G. (eds.) PKC 2009. LNCS, vol. 5443, pp. 256–276. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-00468-1_15

    Chapter  Google Scholar 

  13. Chow, S.S.M., Franklin, M., Zhang, H.: Practical dual-receiver encryption. In: Benaloh, J. (ed.) CT-RSA 2014. LNCS, vol. 8366, pp. 85–105. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-04852-9_5

    Chapter  Google Scholar 

  14. Chow, S.S.M., Russell, A., Tang, Q., Yung, M., Zhao, Y., Zhou, H.-S.: Let a non-barking watchdog bite: cliptographic signatures with an offline watchdog. In: Lin, D., Sako, K. (eds.) PKC 2019. LNCS, vol. 11442, pp. 221–251. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-17253-4_8

    Chapter  Google Scholar 

  15. Dauterman, E., Corrigan-Gibbs, H., Mazières, D., Boneh, D., Rizzo, D.: True2F: backdoor-resistant authentication tokens. In: IEEE Symposium on Security and Privacy (S&P), pp. 398–416. IEEE (2019)

    Google Scholar 

  16. Dodis, Y., Goldwasser, S., Tauman Kalai, Y., Peikert, C., Vaikuntanathan, V.: Public-key encryption schemes with auxiliary inputs. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 361–381. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_22

    Chapter  Google Scholar 

  17. Emura, K., Katsumata, S., Watanabe, Y.: Identity-based encryption with security against the KGC: a formal model and its instantiation from lattices. In: Sako, K., Schneider, S., Ryan, P.Y.A. (eds.) ESORICS 2019. LNCS, vol. 11736, pp. 113–133. Springer, Cham (2019). https://doi.org/10.1007/978-3-030-29962-0_6

    Chapter  MATH  Google Scholar 

  18. Fujisaki, E., Xagawa, K.: Efficient RKA-secure KEM and IBE schemes against invertible functions. In: Lauter, K., Rodríguez-Henríquez, F. (eds.) LATINCRYPT 2015. LNCS, vol. 9230, pp. 3–20. Springer, Cham (2015). https://doi.org/10.1007/978-3-319-22174-8_1

    Chapter  Google Scholar 

  19. Fujisaki, E., Xagawa, K.: Note on the RKA security of continuously non-malleable key-derivation function from PKC 2015. Crypto. ePrint 2015/1088 (2015)

    Google Scholar 

  20. Goyal, V., O’Neill, A., Rao, V.: Correlated-input secure hash functions. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 182–200. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_12

    Chapter  Google Scholar 

  21. Hofheinz, D., Jia, D., Pan, J.: Identity-based encryption tightly secure under chosen-ciphertext attacks. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11273, pp. 190–220. Springer, Cham (2018). https://doi.org/10.1007/978-3-030-03329-3_7

    Chapter  Google Scholar 

  22. Katz, J., Sahai, A., Waters, B.: Predicate encryption supporting disjunctions, polynomial equations, and inner products. In: Smart, N. (ed.) EUROCRYPT 2008. LNCS, vol. 4965, pp. 146–162. Springer, Heidelberg (2008). https://doi.org/10.1007/978-3-540-78967-3_9

    Chapter  Google Scholar 

  23. Lewko, A., Rouselakis, Y., Waters, B.: Achieving leakage resilience through dual system encryption. In: Ishai, Y. (ed.) TCC 2011. LNCS, vol. 6597, pp. 70–88. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-19571-6_6

    Chapter  Google Scholar 

  24. Lewko, A., Waters, B.: New techniques for dual system encryption and fully secure HIBE with short ciphertexts. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 455–479. Springer, Heidelberg (2010). https://doi.org/10.1007/978-3-642-11799-2_27

    Chapter  Google Scholar 

  25. Maurer, U.: Abstract models of computation in cryptography. In: Smart, N.P. (ed.) Cryptography and Coding 2005. LNCS, vol. 3796, pp. 1–12. Springer, Heidelberg (2005). https://doi.org/10.1007/11586821_1

    Chapter  MATH  Google Scholar 

  26. Qin, B., Liu, S., Yuen, T.H., Deng, R.H., Chen, K.: Continuous non-malleable key derivation and its application to related-key security. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 557–578. Springer, Heidelberg (2015). https://doi.org/10.1007/978-3-662-46447-2_25

    Chapter  Google Scholar 

  27. Schwartz, J.T.: Fast probabilistic algorithms for verification of polynomial identities. J. ACM 27(4), 701–717 (1980)

    Article  MathSciNet  MATH  Google Scholar 

  28. Shoup, V.: Lower bounds for discrete logarithms and related problems. In: Fumy, W. (ed.) EUROCRYPT 1997. LNCS, vol. 1233, pp. 256–266. Springer, Heidelberg (1997). https://doi.org/10.1007/3-540-69053-0_18

    Chapter  Google Scholar 

  29. Waters, B.: Efficient identity-based encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005). https://doi.org/10.1007/11426639_7

    Chapter  Google Scholar 

  30. Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-03356-8_36

    Chapter  Google Scholar 

  31. Yuen, T.H., Chow, S.S.M., Zhang, Y., Yiu, S.M.: Identity-based encryption resilient to continual auxiliary leakage. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 117–134. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4_9

    Chapter  Google Scholar 

  32. Yuen, T.H., Zhang, C., Chow, S.S.M., Yiu, S.: Related randomness attacks for public key cryptosystems. In: Bao, F., Miller, S., Zhou, J., Ahn, G. (eds.) ACM AsiaCCS, pp. 215–223. ACM (2015)

    Google Scholar 

Download references

Author information

Authors and Affiliations

Authors

Corresponding author

Correspondence to Sherman S. M. Chow .

Editor information

Editors and Affiliations

Appendices

A Generic Security of Specific Cases of Our Assumption

This section justifies the security of our \(\varPhi \)-oracle DBDH assumption in the variant abstraction of Maurer [25]. This variant GGM model internally stores tuples denoting group elements. We consider the order of the generic group N is a composite of three distinct primes \(p_1p_2p_3\), which Boyen [10] has discussed a few caveats or justifications. The model internally stores two types of tuples, \((\mu _1, \mu _2, \mu _3)\) and \([\nu _1, \nu _2, \nu _3]\), where \(\mu _i, \nu _i \in [1, p_i]\), to represent an element in the base group and the target group, respectively. This computational model provides two types of operations, \(\mathsf {add}\) and \(\mathsf {mul}\), which adds and multiplies the tuples, representing the group operation and the pairing, respectively.

The \(\varPhi \)-oracle DBDH problem can be formalized as one to distinguish two black-box accesses \(\mathbf {B}\) and \(\mathbf {B'}\) of the same type but with a different distribution of the initial state. Specifically, for \(\mathbf {B}\), the model stores tuples

$$\begin{aligned} (1, 0, 0), (0, 1, 0), (0, 0, 1), (\alpha , x, 0), (s, y, 0), (v, 0, 0), (v\alpha , 0, 0), (v\alpha s, 0, 0), [\alpha s, 0, 0], \end{aligned}$$

and for \(\mathbf {B'}\), the model stores tuples

$$\begin{aligned} (1, 0, 0), (0, 1, 0), (0, 0, 1), (\alpha , x, 0), (s, y, 0), (v, 0, 0), (v\alpha , 0, 0), (v\alpha s, 0, 0), [t_1, t_2, t_3]. \end{aligned}$$

The computational model offers an additional oracle \(\mathcal {O}\), which takes a polynomial \(f_i\) of degree at most d from \(\varPhi \) as input and stores \((f_i(\alpha ), w_{i, 1}, 0)\) and \((vf_i(\alpha ), w_{i_2}, 0)\) in its state, where \(w_{i, 1}, w_{i, 2}\) are sampled uniformly from \([1, p_2]\). The adversary can only make at most q \(\mathsf {add}, \mathsf {mul}\), or \(\mathcal {O}\) queries to the model.

If no collision occurs in both \(\mathbf {B}\) and \(\mathbf {B'}\), the views of the adversary are trivially identical. Next, we bound the collision probability. In the former case of accessing \(\mathbf {B}\), the collision occurs in either the base group or the target group.

For the base group, it is obvious that the collision probability is bounded by \(q^2/p\) (based on an existing analysis [25]), where p is the minimal of \((p_1, p_2, p_3)\).

For the target group, when a collision occurs, the values in all three positions must be identical, which means the values in the second position (\({\bmod ~p_2}\)) must be identical. Note that any value in the second position is in the form of

$$\begin{aligned}&c_0 + c_1 x + c_2 y + c_3 w_{i, 1} + c_4 w_{i, 2} \\ +~&d_{1, 2} xy+ d_{1, 3} x w_{i, 1} + d_{1, 4} x w_{i, 2} + d_{2, 3} y w_{i, 1} + d_{2, 4} y w_{i, 2} + d_{3, 4} w_{i, 1} w_{i, 2}, \end{aligned}$$

i.e., a multivariate polynomial of variables \((x, y, w_{1, 1}, w_{1, 2}, \ldots , w_{q, 1}, w_{q, 2})\), and their degree is bounded by 2. Therefore, using a lemma due to Schwartz [27], no collision occurs, except a probability of \(2q^2/p\).

Conditioned on that no collision on the value in the second position, we have any value in the first position being in the form of

$$\begin{aligned}&c_0 + c_1\alpha + c_2 s + c_3 v + c_4 v\alpha + c_5 v\alpha s + c_6 v^2\alpha + c_7 v\alpha ^2 + c_8 v \alpha s + c_9 v^2 \alpha s \\ +~&c_{10} v \alpha ^2\,s^2 + \sum _{i=1}^q a_i f_i(\alpha ) + \sum _{i=1}^q b_i v f_i(\alpha ) + \sum _{i=1}^q d_i v \alpha f_i(\alpha ) + \sum _{i=1}^q e_i v\alpha s f_i(\alpha ) \\ +~&\sum _{i=1}^q a_i' v f_i(\alpha ) + \sum _{i=1}^q b_i' v^2 f_i(\alpha ) + \sum _{i=1}^q d_i' v^2 \alpha f_i(\alpha ) + \sum _{i=1}^q e_i' v^2\alpha s f_i(\alpha ) + h_i \alpha s, \end{aligned}$$

which is a multivariate polynomial of \((\alpha , s, v)\), and the degree is bounded by \(d+1\). Similarly [27], no collision occurs except for probability \(\frac{ (d+1)(q^2+q)+ 2q^2}{p}\). It is also evident that the collision probability in the latter case (accessing \(\mathbf {B'}\)) is bounded by the former one (the black-box access to \(\mathbf {B}\)). Thus, the advantage of our assumption above is bounded by \(\frac{(d+1)(q^2+q)+ 3q^2}{p}\), which is negligible.

The non-interactive version of the assumption can be analyzed in this GGM similarly. Applying an analogous analysis (which we skip due to the space limit), the function family \(\varPhi \) can be easily extended to rational functions, as long as the degrees of their denominators are also bounded. This stems from an idea of Boyen [10], which notationally replaces a rational exponent with a polynomial multiplied with the (non-zero) least common multiple of all denominators.

B Security Proofs

1.1 Proof of Theorem 2

Proof

We prove by a hybrid argument using a sequence of games. The first game Game\(_{ real }\) is the real \(\varPhi \)-RKA IND-ID-CPA game. We denote the challenge identity to be \(\mathsf {ID}^*\). The second game Game\(_{ res }\) is the same as Game\(_{ real }\), except that the adversary cannot ask for the secret key of identity \(\mathsf {ID}= \mathsf {ID}^* \bmod p_2\). This restriction will be retained throughout the subsequent games. Let q be the number of extraction oracle queries. For \(k = 0\) to q, we define Game\(_k\) as:

Game\(_{k}\): It is the same as Game\(_{ res }\), except that the challenge ciphertext is semi-functional (SF), and the keys used to answer first k oracle queries are SF. The keys for the rest of the queries are normal.

As a result, in Game\(_{0}\), all keys are normal and the challenge ciphertext is SF. In Game\(_{q}\), all keys and the challenge ciphertext are SF. We defer to the lemmas below to prove the indistinguishability between these games.

The last game is Game\(_{ final }\), which is the same as Game\(_{q}\) except that the challenge ciphertext is a semi-functional ciphertext encrypting a random message instead of one of the two challenge messages. In Game\(_{ final }\), the value of \(b'\) is information-theoretically hidden from \(\mathcal {A}\). Hence \(\mathcal {A}\) has no advantage in winning Game\(_{ final }\). We will prove below that if Assumptions 1, 2, and the \(\varPhi \)-oracle DBDH assumption hold, then Game\(_{ real }\) is indistinguishable from Game\(_{ final }\).    \(\square \)

Lemma 1

We can construct an algorithm \(\mathcal {B}\) with a non-negligible advantage in breaking Assumption 1 or Assumption 2 if there exists an adversary \(\mathcal {A}\) such that \( Adv _\mathcal {A}(\mathrm {Game}_{ real }) - Adv _\mathcal {A}(\mathrm {Game}_{ res }) = \epsilon \).

The proof of Lemma 1 is easy (e.g., see [24, 30]) and is omitted.

Lemma 2

We can construct an algorithm \(\mathcal {B}\) with advantage \(\epsilon \) in breaking Assumption 1 if there exists \(\mathcal {A}\) such that \( Adv _\mathcal {A}(\mathrm {Game}_{ res }) - Adv _\mathcal {A}(\mathrm {Game}_{0}) = \epsilon \).

Proof

Given \((g, X_3, T)\) from Assumption 1, \(\mathcal {B}\) can simulate Game\(_{ res }\) or Game\(_{0}\). \(\mathcal {B}\) chooses random \(a,b,c,\alpha \in \mathbb {Z}_N\), \(h_1 \in \mathbb {G}_{p_1}\). \(\mathcal {B}\) sets \(g_1 = g, h_1 = g^a, u_1 = g^b, v_1 = g^c, g_3 = X_3\). \(\mathcal {B}\) generates the rest of \(\mathsf {mpk}\) according to \(\mathsf {Setup}\) and sets \(\mathsf {msk}= \alpha \).

For the RKA-extraction oracle queries \((\phi , \mathsf {ID})\), \(\mathcal {B}\) returns \(\mathsf {Extract}(\phi (\mathsf {msk})\), \(\mathsf {ID})\). Note that \(\mathcal {B}\) can check if \(\phi (\alpha ) = \alpha \) using the knowledge of \(\alpha \).

In the challenge phase, \(\mathcal {A}\) sends \(\mathcal {B}\) two messages \(M^*_0, M^*_1\), and an identity \(\mathsf {ID}^*\). \(\mathcal {B}\) randomly picks a bit \(b' \in \{0, 1\}\). \(\mathcal {B}\) calculates the challenge ciphertext as:

$$ C^*_0 = M^*_{b'} \cdot \hat{e}({T}, g_1)^\alpha , \quad C^*_1 = T, \quad C^*_2 = {T}^{a+b \mathsf {ID}^* +c\alpha }. $$

If \({T} = g^s \), this is a normal ciphertext, and hence \(\mathcal {B}\) simulates Game\(_{ res }\). If \({T} = g^s Y_2\), this is an SF ciphertext with \(\hat{g}_2 = {Y}_2, \hat{g}_2^{\delta } = {Y}_2^{a+b \mathsf {ID}^* +c\alpha }\); and \(\mathcal {B}\) simulates Game\(_{0}\) with \(\delta = a+b \mathsf {ID}^* +c\alpha \). The values of \(a, b, c, \alpha \bmod p_2\) are not correlated with the corresponding values modulo \(p_1\) by the Chinese remainder theorem. If \(\mathcal {A}\) can distinguish between Game\(_{ res }\) and Game\(_{0}\), \(\mathcal {B}\) can break Assumption 1.    \(\square \)

Lemma 3

We can construct an algorithm \(\mathcal {B}\) which breaks Assumption 2 with advantage \(\epsilon \) if there exists \(\mathcal {A}\) such that \( Adv _\mathcal {A}(\mathrm {Game}_{\ell -1}) - Adv _\mathcal {A}(\mathrm {Game}_{\ell }) = \epsilon \).

Proof

Given \((g, X_1{X}_2, X_3, Y_2Y_3, T)\) from Assumption 2, \(\mathcal {B}\) can simulate Game\(_{\ell -1}\) or Game\(_{\ell }\). \(\mathcal {B}\) chooses random \(a, b, c, \alpha \in \mathbb {Z}_N\), sets \(g_1 = g, h_1 = g^a, u_1 = g^b, v_1 = g^c\), and \(g_3 = X_3\), and generates the rest of \(\mathsf {mpk}\) and \(\mathsf {msk}= \alpha \) according to \(\mathsf {Setup}\).

For the k-th distinct RKA-extraction oracle query on \(\mathsf {ID}_k\) and \(\phi _k\), \(\mathcal {B}\) can compute \(\phi _k(\alpha )\) and check if \(\phi _k(\alpha ) = \alpha \) using the knowledge of \(\alpha \).

  • If \(k < \ell \), \(\mathcal {B}\) returns \(\mathsf {Extract}(\phi _k(\mathsf {msk}), \mathsf {ID}_k)\).

  • If \(k > \ell \), \(\mathcal {B}\) calculates \((K_1, K_2) \leftarrow \mathsf {Extract}(\phi _k(\mathsf {msk}), \mathsf {ID}_k)\) using \(\mathsf {msk}\). \(\mathcal {B}\) randomly picks \(\gamma _1, \gamma _2 \in \mathbb {Z}_N\) and returns the (related) SF-key:

    $$ {K'_1} = {K_1} \cdot (Y_2Y_3)^{{\gamma }_1}, \quad K'_2 = K_2 \cdot (Y_2Y_3)^{\gamma _2}. $$

    This is semi-functional. By the Chinese remainder theorem, the values of \({\gamma _1}, \gamma _2\) modulo \(p_2\) and modulo \(p_3\) are not correlated.

  • If \(k = \ell \), \(\mathcal {B}\) chooses random \(X'_3, X''_3 \in \mathbb {G}_{p_3}\) and returns the (related) key:

    $$ K_1 = g_1^{\phi _\ell (\alpha )} \cdot T^{a + b \cdot \mathsf {ID}_\ell + c \cdot \phi _\ell (\alpha )} \cdot X'_3, \quad K_2 = T \cdot X''_3. $$

    If \(T =Z_1Z_3 \in \mathbb {G}_{p_1p_3}\) where \(Z_i \in \mathbb {G}_{p_i}\); it is a normal key with \(g^{r} = Z_1\). Hence \(\mathcal {B}\) simulates Game\(_{\ell -1}\). If \(T = Z_1 Z_2 Z_3 \in \mathbb {G}\), it is an SF key with \(\bar{g}_2 ^{{\gamma }} = Z_2^{a + b \cdot \mathsf {ID}_\ell + c\cdot \phi (\alpha )}\) and \(\bar{g}_2 = Z_2\). Hence \(\mathcal {B}\) simulates Game\(_{\ell }\). Note that the value of \({\gamma } \bmod p_2\) is not correlated with the values of abc, and \(\alpha \) modulo \(p_1\).

In the challenge phase, \(\mathcal {A}\) sends \(\mathcal {B}\) two messages \(M^*_0, M^*_1\), and an identity \(\mathsf {ID}^*\). \(\mathcal {B}\) chooses a random bit \(b' \in \{0, 1\}\) and calculates the challenge ciphertext:

$$ C^*_0 = M^*_{b'} \cdot \hat{e}(X_1X_2, g_1)^\alpha , \quad C^*_1 = (X_1X_2), \quad C^*_2 = (X_1X_2)^{a + b \cdot \mathsf {ID}^* + c \cdot \alpha }. $$

It is an SF ciphertext with \(\hat{g}_2 = {X}_2\) and \(\hat{g}_2^{\delta } = X_2^{a + b \cdot \mathsf {ID}^* + c \cdot \alpha }\). If the \(\ell \)-th SF key is created for decrypting the challenge ciphertext, i.e., \(\mathsf {ID}_\ell = \mathsf {ID}^*\) and \(\phi _\ell (\alpha ) = \alpha \), its \(\gamma \) factor becomes \(\delta = a + b \cdot \mathsf {ID}^* + c\cdot \alpha \), so it is a nominally semi-functional key which will always decrypt the challenge ciphertext.

Finally, we have to consider the view of the adversary in the Game\(_\ell \). The value of \({\delta } = a + b \cdot \mathsf {ID}^* + c \cdot \alpha \bmod p_2\) is uncorrelated to \(\gamma = a + b \cdot \mathsf {ID}_\ell + c \cdot \phi _\ell (\alpha )\) since \(a, b, c, \alpha \) are only known in modulo \(p_1\) and:

  • Case 1: \(\mathsf {ID}^* \ne \mathsf {ID}_\ell \). Then \(a + b \cdot \mathsf {ID}_\ell \) is uncorrelatedFootnote 7 to \(a + b \cdot \mathsf {ID}^*\) modulo \(p_2\). It implies \(\gamma \) is uncorrelated to \(\delta \) since \(a, b, c, \alpha \) are randomly chosen from \(\mathbb {Z}_N\).

  • Case 2: \(\mathsf {ID}^* = \mathsf {ID}_\ell \) and \(\phi _\ell (\alpha ) \ne \alpha \). Then \(a + c \cdot \phi _\ell (\alpha )\) is uncorrelatedFootnote 8. It implies \(\gamma \) is uncorrelated to \(\delta \) since \(a, b, c, \alpha \) are randomly chosen from \(\mathbb {Z}_N\).

By definition, the adversary query with \(\mathsf {ID}^* = \mathsf {ID}_\ell \) and \(\phi _\ell (\alpha ) = \alpha \).

So, \(\mathcal {B}\) can break Assumption 2 if \(\mathcal {A}\) can distinguish Game\(_{\ell -1}\) and Game\(_\ell \).    \(\square \)

Lemma 4

Given an adversary \(\mathcal {A}\) such that \( Adv _\mathcal {A}(\mathrm {Game}_{q}) - Adv _\mathcal {A}(\mathrm {Game}_{ final }) = \epsilon \), we can construct an algorithm \(\mathcal {B}\) with advantage \(\epsilon \) in breaking the \(\varPhi \)-oracle DBDH assumption.

Proof

Given \((g, g^\alpha X_{2}, X_3, g^s Y_2, Z_2, v, v^\alpha , v^{\alpha s}, T)\) and accesses to an oracle \(\mathcal {O}\) from the \(\varPhi \)-oracle DBDH assumption, \(\mathcal {B}\) chooses random \(a, b \in \mathbb {Z}_N\) and sets

$$ g_1 = g, \quad h_1 = g^a, \quad u_1 = g^{b}, \quad v_1 = v, \quad \hat{e}(g_1, g_1)^\alpha = \hat{e}(g, g^\alpha X_2). $$

\(\mathcal {B}\) implicitly sets \(\mathsf {msk}= \alpha \). \(\mathcal {B}\) sends the master public key \(\mathsf {mpk}\) to \(\mathcal {A}\).

\(\mathcal {B}\) can calculate the semi-functional secret key as follows. \(\mathcal {B}\) randomly picks \(r \in \mathbb {Z}_N\), \(R_2, R'_2 \in \mathbb {G}_{p_3}\), and \(R_3, R'_3 \in \mathbb {G}_{p_3}\), and returns:

$$ K'_{1} = (g^\alpha X_2) \cdot (h_1 u_1^{\mathsf {ID}} v_1^\alpha )^r \cdot R_2 \cdot R_3, \quad K'_{2} = g^{r} \cdot R'_2 \cdot R'_3, $$

If it is a related key query with input \(\phi \), then \(\mathcal {B}\) asks \(\mathcal {O}(\phi )\) for obtaining the related key \((g^{\phi (\alpha )} W_2\), \(v_1^{\phi (\alpha )} V_2)\). \(\mathcal {B}\) can answer all extraction oracle queries by:

$$ K'_{1} = (g^{\phi (\alpha )} W_2) \cdot (h_1 u_1^{\mathsf {ID}} \cdot v_1^{\phi (\alpha )} V_2)^r \cdot R_2 \cdot R_3, \quad K'_{2} = g^{r} \cdot R'_2 \cdot R'_3, $$

Note that \(\mathcal {B}\) can check if \(\phi (\alpha ) = \alpha \) by checking if \(\frac{g^{\phi (\alpha )} W_2}{g^\alpha X_2}\) is in the subgroup \(\mathbb {G}_{p_2}\) but not \(\mathbb {G}_{p_1}\) and \(\mathbb {G}_{p_3}\). This is easily doable using \(g \in \mathbb {G}_{p_1}\) and \(X_3 \in \mathbb {G}_{p_3}\).

Finally, \(\mathcal {B}\) picks a random bit b and calculates the SF challenge ciphertext:

$$ C'_0 = M^*_{b'} \cdot T, \quad C'_1 = (g^{s}Y_2), \quad C'_2 = (g^{s}Y_2)^{a+b\cdot \mathsf {ID}^*} \cdot v_1^{\alpha s}. $$

If \(T = \hat{e}(g, g)^{a s}\), \(\mathcal {B}\) simulates Game\(_q\); Game\(_{ final }\) otherwise. If \(\mathcal {A}\) can distinguish between these two, \(\mathcal {B}\) can break the \(\varPhi \)-oracle DBDH assumption.    \(\square \)

1.2 Proof of Theorem 3

Proof

We prove by a hybrid argument using a sequence of games. The first game Game\(_{ real }\) is the real \((\varPhi _e, \varPhi _d)\)-RKA IND-ID-CPA game, and we denote the challenge identity to be \(\mathsf {ID}^* = (\mathsf {id}^*_1, \ldots , \mathsf {id}^*_{j^*})\).

The second game Game\(_{ res }\) is the same as Game\(_{ real }\), except that the adversary cannot ask for keys for identities which are prefixes of \(\mathsf {ID}^*\) modulo \(p_2\), for both extraction oracle \(\mathcal {E}\mathcal {O}\) and delegation oracle \(\mathcal {D}\mathcal {O}\). This restriction will be retained throughout the subsequent games. After that, we use q to denote the number of distinct \(\mathsf {ID}\) queries to \(\mathcal {E}\mathcal {O}\) and \(\mathcal {D}\mathcal {O}\). For \(k = 0\) to q, we define Game\(_k\) as:

Game\(_{k}\): It is the same as Game\(_{ res }\), except that the challenge ciphertext is SF, and the keys used to answer first k oracle queries are SF. The keys for the rest of the queries are normal.

As a result, in Game\(_{0}\), all keys are normal and the challenge ciphertext is SF. In Game\(_{q}\), all keys and the challenge ciphertext are SF.

The last game is Game\(_{ final }\), which is the same as Game\(_{q}\) except that the challenge ciphertext is an SF encryption of a random message.

The following lemmas prove the indistinguishability between these games.

Lemma 5

When given an adversary \(\mathcal {A}\) with \( Adv _\mathcal {A}(\mathrm {Game}_{ real }) - Adv _\mathcal {A}(\mathrm {Game}_{ res })= \epsilon \), we can construct an algorithm \(\mathcal {B}\) with a non-negligible advantage in breaking Assumptions 1 or 2.

The proof of Lemma 5 is easy and is omitted.

Lemma 6

We can construct an algorithm \(\mathcal {B}\) with advantage \(\epsilon \) in breaking Assumption 1 if there exists \(\mathcal {A}\) such that \( Adv _\mathcal {A}(\mathrm {Game}_{ res }) - Adv _\mathcal {A}(\mathrm {Game}_{0}) = \epsilon \).

Proof

Given \((g, X_3, T)\) from Assumption 1, \(\mathcal {B}\) can simulate Game\(_{ res }\) or Game\(_{0}\) with \(\mathcal {A}\). \(\mathcal {B}\) uses the bilinear group context from the assumption for the public system parameters, and chooses random \(a,b_1, \ldots , b_H, c, \alpha \in \mathbb {Z}_N\), \(h_1 \in \mathbb {G}_{p_1}\). \(\mathcal {B}\) sets \(g_1 = g, h_1 = g^a, u_1 = g^{b_1}, \ldots , u_H= g^{b_H}, v_1 = g^c, g_3 = X_3\). \(\mathcal {B}\) generates the rest of \(\mathsf {mpk}\) according to \(\mathsf {Setup}\) and sets \(\mathsf {msk}= \alpha \).

For the RKA-extraction oracle queries \((\phi , \mathsf {ID})\), \(\mathcal {B}\) returns \(\mathsf {Extract}(\phi (\mathsf {msk})\), \(\mathsf {ID})\). Note that \(\mathcal {B}\) can check if \(\phi (\alpha ) = \alpha \) using the knowledge of \(\alpha \).

In the challenge phase, \(\mathcal {A}\) sends \(\mathcal {B}\) two messages \(M^*_0, M^*_1\), and an identity \(\mathsf {ID}^* = (\mathsf {id}^*_1, \ldots , \mathsf {id}^*_{j^*})\). \(\mathcal {B}\) picks a random bit \(b'\) and derives the challenge ciphertext:

$$ C^*_0 = M^*_{b'} \cdot \hat{e}({T}, g_1)^\alpha , \quad C^*_1 = T, \quad C^*_2 = {T}^{a+\sum _{i=1}^{j^*} b_i \mathsf {id}^*_i +c\alpha }. $$

If \({T} = g^s \), this is a normal ciphertext, and hence \(\mathcal {B}\) simulates Game\(_{ res }\). If \({T} = g^s Y_2\), this is an SF ciphertext with \(\hat{g}_2 = {Y}_2, \hat{g}_2^{\delta } = {Y}_2^{a+\sum _{i=1}^{j^*} b_i \mathsf {id}^*_i +c\alpha }\); and hence \(\mathcal {B}\) simulates Game\(_{0}\) with \(\delta = a+ \sum _{i=1}^{j^*} b_i \mathsf {id}^*_i+c\alpha \). By the Chinese remainder theorem, the values of \(a, b_1, \ldots , b_j, c, \alpha \bmod p_2\) are not correlated with the corresponding values modulo \(p_1\). Therefore, if \(\mathcal {A}\) can distinguish between Game\(_{ res }\) and Game\(_{0}\), \(\mathcal {B}\) can break Assumption 1 with the same probability.    \(\square \)

Lemma 7

We can construct an algorithm \(\mathcal {B}\) with advantage \(\epsilon \) in breaking Assumption 2 if there exists \(\mathcal {A}\) such that \( Adv _\mathcal {A}(\mathrm {Game}_{\ell -1}) - Adv _\mathcal {A}(\mathrm {Game}_{\ell }) = \epsilon \).

Proof

Given \((g, X_1{X}_2, X_3, Y_2Y_3, T)\) from Assumption 2, \(\mathcal {B}\) can simulate Game\(_{\ell -1}\) or Game\(_{\ell }\) with \(\mathcal {A}\). \(\mathcal {B}\) chooses random \(a, b_1, \ldots , b_H, c, \alpha \in \mathbb {Z}_N\). Like in the proof of the last lemma, \(\mathcal {B}\) sets \(g_1 = g, h_1 = g^a, u_1 = g^{b_1}, \ldots , u_H= g^{b_H}, v_1 = g^c\), and \(g_3 = X_3\). \(\mathcal {B}\) generates the rest of \(\mathsf {mpk}\) according to \(\mathsf {Setup}\) and sets \(\mathsf {msk}= \alpha \).

For the k-th distinct RKA-extraction oracle query on \(\mathsf {ID}_k = (\mathsf {id}_1, \ldots , \mathsf {id}_j)\) and \(\phi _k\), \(\mathcal {B}\) can check if \(\phi _k(\alpha ) = \alpha \) by the knowledge of \(\alpha \).

  • If \(k < \ell \), \(\mathcal {B}\) returns \(\mathsf {Extract}(\phi _k(\mathsf {msk}), \mathsf {ID}_k)\).

  • If \(k > \ell \), \(\mathcal {B}\) derives \((K_1, K_2, D_{j+1}, \ldots , D_H) \leftarrow \mathsf {Extract}(\phi _k(\mathsf {msk}), \mathsf {ID}_k)\) by \(\mathsf {msk}\). \(\mathcal {B}\) randomly picks \(\gamma _1, \gamma _2, \gamma '_{j+1}, \ldots , \gamma '_H\in \mathbb {Z}_N\) and returns the (related) SF key:

    $$ {{K}'_1} = {K_1} \cdot (Y_2Y_3)^{{\gamma }_1}, \quad {K}'_2 = K_2 \cdot (Y_2Y_3)^{\gamma _2}, \quad \{{D}'_{i} = D_{i} \cdot (Y_2Y_3)^{\gamma '_{i}}\}_{\forall i \in \{j+1, \ldots , H\}}. $$

    This is semi-functional. By the Chinese remainder theorem, the values of \({\gamma _1}, \gamma _2, \gamma '_{j+1}, \ldots , \gamma '_H\) modulo \(p_2\) and modulo \(p_3\) are not correlated.

  • If \(k = \ell \), \(\mathcal {B}\) chooses random \(X'_3, X''_3, X_{3, j+1}, \ldots , X_{3, H} \in \mathbb {G}_{p_3}\) and returns the (related) key:

    $$ K_1 = g_1^{\phi _\ell (\alpha )} T^{a + \sum _{i=1}^j b_i \mathsf {id}_i + c \phi _\ell (\alpha )} X'_3, K_2 = T X''_3, \{D_{i} = T^{b_{i}} X_{3, i}\}_{\forall i \in \{j+1, \ldots , H\}}. $$

    If \(T =Z_1Z_3 \in \mathbb {G}_{p_1p_3}\) where \(Z_i \in \mathbb {G}_{p_i}\); it is a normal key with \(g^{r} = Z_1\). Hence \(\mathcal {B}\) simulates Game\(_{\ell -1}\). If \(T = Z_1 Z_2 Z_3 \in \mathbb {G}\), it is an SF key with \(\bar{g}_2 = Z_2\), \(\bar{g}_2 ^{{\gamma }} = Z_2^{a + \sum _{i=1}^j b_i \mathsf {id}_i + \phi _\ell (\alpha )}\), \(\bar{g}_2 ^{{\gamma '_{j+1}}} = Z_2^{b_{j+1}}, \ldots , \bar{g}_2 ^{{\gamma '_{H}}} = Z_2^{b_{H}}\). Hence \(\mathcal {B}\) simulates Game\(_{\ell }\). Again, note that the values of \({\gamma }, \gamma '_{j+1}, \ldots , \gamma '_H\bmod p_2\) are not correlated with the values of \(a,b_1, \ldots , b_H, c\) and \(\alpha \) modulo \(p_1\).

For the k-th distinct RKA-delegation query on \(\mathsf {ID}_k = (\mathsf {id}_1, \ldots , \mathsf {id}_{j-1}, \mathsf {id}_{j})\) and \(\phi _{k} = (\varphi _1, \varphi _2, \varphi '_{j}, \ldots , \varphi '_H)\):

  • if \(k < \ell \), \(\mathcal {B}\) calculates \((K_1, K_2, D_{j}, \ldots , D_H) \leftarrow \mathsf {Extract}(\mathsf {msk}, (\mathsf {id}_1, \ldots , \mathsf {id}_{j-1}))\). \(\mathcal {B}\) returns \(\mathsf {Delegate}(\mathsf {mpk}, (\varphi _1(K_1), \varphi _2(K_2), \varphi '_j(D_{j}), \ldots , \varphi '_{H}(D_H)), \mathsf {id}_{j})\).

  • if \(k > \ell \), \(\mathcal {B}\) calculates \(\mathsf {sk}'_{\mathsf {ID}_k}\) as above. Denote \(\mathsf {sk}'_{\mathsf {ID}_k} = (\tilde{K}_1, \tilde{K}_2, \tilde{D}_{j+1}, \ldots , \tilde{D}_{H})\). \(\mathcal {B}\) randomly picks \(\gamma _1, \gamma _2, \gamma '_{j+1}, \ldots , \gamma '_H\in \mathbb {Z}_N\) and returns the (related) SF key:

    $$ {{K}'_1} = {\tilde{K}_1} \cdot (Y_2Y_3)^{{\gamma }_1}, \quad {K}'_2 = \tilde{K}_2 \cdot (Y_2Y_3)^{\gamma _2}, \quad \{D'_{i} = \tilde{D}_{i} \cdot (Y_2Y_3)^{\gamma '_{i}}\}_{\forall i \in \{j+1, \ldots , H\}}. $$
  • if \(k = \ell \), \(\mathcal {B}\) picks \(X'_3, X''_3, X_{3, j}, \ldots , X_{3, H} \in \mathbb {G}_{p_3}\) and returns the (related) key:

    $$ K_1 = g_1^{\alpha } \cdot T^{a + \sum _{i=1}^{j-1} b_i \mathsf {id}_i + c \alpha } \cdot X'_3, ~ K_2 = T \cdot X''_3, ~ \{D_{i} = T^{b_{i}} \cdot X_{3, i}\}_{\forall i \in \{j, \ldots , H\}}. $$

    \(\mathcal {B}\) returns \(\mathsf {Delegate}(\mathsf {mpk}, (\varphi _1(K_1), \varphi _2(K_2), \varphi '_{j}(D_{j}), \ldots , \varphi '_{H}(D_H)), \mathsf {id}_{j})\). If \(T =Z_1Z_3 \in \mathbb {G}_{p_1p_3}\) where \(Z_i \in \mathbb {G}_{p_i}\); it is a normal key with \(g^{r} = Z_1\). Hence \(\mathcal {B}\) simulates Game\(_{\ell -1}\). If \(T = Z_1 Z_2 Z_3 \in \mathbb {G}\), it is a related SF key with \(\bar{g}_2 = \varphi _2(Z_2)\) due to the isomorphic property of \(\varphi _2\), \(\bar{g}_2 ^{{\gamma }} = \varphi _1(Z_2^{a + \sum _{i=1}^{j-1} b_i \mathsf {id}_i + c \cdot \alpha }) \cdot \varphi '_j(Z_2^{\mathsf {id}_{j} b_{j}})\), \(\bar{g}_2 ^{{\gamma '_{j+1}}} = \varphi '_{j+1}(Z_2^{b_{j+1}})\), and \(\bar{g}_2 ^{{\gamma '_{H}}} = \varphi '_H(Z_2^{b_{H}})\). Hence \(\mathcal {B}\) simulates Game\(_{\ell }\). Again, note that the values of \({\gamma }, \gamma '_{j+1}, \ldots , \gamma '_H\bmod p_2\) are not correlated with the values of \(a,b_1, \ldots , b_H, c\), and \(\alpha \) modulo \(p_1\).

\(\mathcal {A}\) sends \(\mathcal {B}\) two messages \(M^*_0, M^*_1\) and an identity \(\mathsf {ID}^* = (\mathsf {id}^*_1, \ldots , \mathsf {id}^*_{j^*})\) in the challenge phase. \(\mathcal {B}\) picks a random bit \(b'\) and derives the challenge ciphertext:

$$ C^*_0 = M^*_{b'} \cdot \hat{e}(X_1X_2, g_1)^\alpha , \quad C^*_1 = (X_1X_2), \quad C^*_2 = (X_1X_2)^{a + \sum _{i=1}^{j^*} b_i \mathsf {id}^*_i + c \cdot \alpha }. $$

It is an SF ciphertext with \(\hat{g}_2 = {X}_2\) and \(\hat{g}_2^{\delta } = X_2^{a + \sum _{i=1}^{j^*} b_i \mathsf {id}^*_i + c \cdot \alpha }\). Recall that the \(\gamma \) factor for the \(\ell \)-th SF key will be equal to \(\delta \) for the same identity vector and when \(\phi _\ell (\alpha )\) is an identity function (i.e., a key that can decrypt the challenge ciphertext), so it is a nominally semi-functional key that will always decrypt the challenge ciphertext. If the \(\ell \)-th oracle query is for the extraction oracle, the value of \({\delta } = a + \sum _{i=1}^{j^*} b_i \mathsf {id}^*_i + c \cdot \alpha \bmod p_2\) is uncorrelated to \(\gamma = a + \sum _{i=1}^j b_i \mathsf {id}_i + c \cdot \phi _\ell (\alpha )\) since \(a, b_1, \ldots , b_H, c, \alpha \) are only known in modulo \(p_1\) and:

  • Case 1: \(\mathsf {ID}_\ell \) is not a prefix of \(\mathsf {ID}^*\). There exists some \(i \in [1,j^*]\) such that \(\mathsf {id}^*_i \ne \mathsf {id}_i\). Then \(a + b_i \cdot \mathsf {id}_i\) is uncorrelatedFootnote 9 to \(a + b_i \cdot \mathsf {id}^*_i\) modulo \(p_2\). It implies \(\gamma \) is uncorrelated to \(\delta \) since a and \(b_i\) are randomly chosen from \(\mathbb {Z}_N\).

  • Case 2: \(\mathsf {ID}_\ell \) is a prefix of \(\mathsf {ID}^*\) and \(\phi _\ell (\alpha ) \ne \alpha \). Then \(a + c \cdot \phi _\ell (\alpha )\) is uncorrelatedFootnote 10, and \(\gamma \) is uncorrelated to \(\delta \) since ac are random elements of \(\mathbb {Z}_N\).

By the definition of the security model, the adversary cannot ask for any extraction oracle query with \(\mathsf {ID}^* = \mathsf {ID}_\ell \) and \(\phi _\ell (\alpha ) = \alpha \).

If the \(\ell \)-th oracle query is for delegation, since \(\varphi _1 = \varphi '_j\), and \(\varphi _1\) is isomorphic,

$$ \bar{g}_2 ^{{\gamma }} = \varphi _1(Z_2^{a + \sum _{i=1}^{j-1} b_i \mathsf {id}_i + c \alpha }) \cdot \varphi '_j(Z_2^{\mathsf {id}_{j} b_{j}}) = \varphi _1(Z_2^{a + \sum _{i=1}^{j} b_i \mathsf {id}_i + c \alpha }), $$
  • Case 1: If \(\mathsf {ID}_\ell \) is not a prefix of \(\mathsf {ID}^*\), it is also uncorrelated to the value of \(\hat{g}_2^{\delta } = X_2^{a + \sum _{i=1}^{j^*} b_i \mathsf {id}^*_i + c \cdot \alpha }\), due to a distribution analysis similar to the case of the extraction oracle.

  • Case 2: If \(\mathsf {ID}_\ell \) is a prefix of \(\mathsf {ID}^*\), we have \(\bar{g}_2 = \varphi _2(Z_2)\). Hence

    $$ \gamma = (a + \sum _{i=1}^{j} b_i \mathsf {id}_i + c \alpha ) \cdot \log _{\varphi _2(Z_2)} \varphi _1(Z_2). $$

    \(\gamma \) is correctly distributed as \(\log _{\varphi _2(Z_2)} \varphi _1(Z_2)\) is randomly distributed in \(\mathbb {Z}_N\).

So, \(\mathcal {B}\) can break Assumption 2 if \(\mathcal {A}\) can distinguish Game\(_{\ell -1}\) and Game\(_\ell \).    \(\square \)

Lemma 8

Given an adversary \(\mathcal {A}\) such that \( Adv _\mathcal {A}(\mathrm {Game}_{q}) - Adv _\mathcal {A}(\mathrm {Game}_{ final }) =\epsilon \), we can construct an algorithm \(\mathcal {B}\) with advantage \(\epsilon \) in breaking the \(\varPhi _e\)-oracle DBDH assumption.

Proof

Given \((g, g^\alpha X_{2}, X_3, g^s Y_2, Z_2, v, v^\alpha , v^{\alpha s}, T)\) and accesses to an oracle \(\mathcal {O}\) from the \(\varPhi _e\)-oracle DBDH assumption, \(\mathcal {B}\) chooses random \(a, b \in \mathbb {Z}_N\) and sets

$$ g_1 = g, \quad h_1 = g^a, \quad u_1 = g^{b}, \quad v_1 = v, \quad \hat{e}(g_1, g_1)^\alpha = \hat{e}(g, g^\alpha X_2). $$

\(\mathcal {B}\) implicitly sets \(\mathsf {msk}= \alpha \). \(\mathcal {B}\) sends the master public key \(\mathsf {mpk}\) to \(\mathcal {A}\).

To compute the semi-functional secret key, \(\mathcal {B}\) randomly picks \(r \in \mathbb {Z}_N\) and \(R_2, R_3, R'_2, R'_3, R_{2, j+1}, R_{3, j+1}, \ldots , R_{2, H} R_{3, H} \in \mathbb {G}_{p_3}\), then returns:

$$\begin{aligned} K_{1}&= (g^\alpha X_2) \cdot (h_1 u_1^{\mathsf {id}_1} \cdots u_j^{\mathsf {id}_j} v_1^\alpha )^r \cdot R_2 R_3, \quad K_{2} = g^{r} \cdot R'_2 R'_3, \\ D_{j+1}&= u_{j+1}^r \cdot R_{2, j+1}R_{3, j+1}, \quad \quad \ldots , \quad \quad \quad \quad D_{H}= u_{H}^r \cdot R_{2, H}R_{3, H}. \end{aligned}$$

If it is an RKA-delegation oracle query with input \(\phi _d = (\varphi _1, \varphi _2, \varphi '_{j}, \ldots , \varphi '_{H})\), \(\mathcal {B}\) returns \(\mathsf {sk}'_{\mathsf {ID}_k} \leftarrow \mathsf {Delegate}(\mathsf {mpk}, (\varphi _1(K_1), \varphi _2(K_2), \varphi '_{j}(D_{j}), \ldots , \varphi '_{H}(D_H)), \mathsf {id}_{j})\).

If it is a related key query with input \(\phi _e\), then \(\mathcal {B}\) asks \(\mathcal {O}(\phi _e)\) and obtains \((g^{\phi _e(\alpha )} W_2, v_1^{\phi _e(\alpha )} V_2)\). \(\mathcal {B}\) returns

$$ K_{1} = (g^{\phi _e(\alpha )} W_2) \cdot (h_1 u_1^{\mathsf {ID}} \cdot v_1^{\phi _e(\alpha )} V_2)^r \cdot R_2 \cdot R_3, \quad K_{2} = g^{r} \cdot R'_2 \cdot R'_3. $$

Therefore, \(\mathcal {B}\) can answer all extraction oracle queries. Note that \(\mathcal {B}\) can check if \(\phi _e(\alpha ) = \alpha \) by checking if \({g^{\phi _e(\alpha )} W_2}/{(g^\alpha X_2)}\) is in the subgroup \(\mathbb {G}_{p_2}\) but not \(\mathbb {G}_{p_1}\) and \(\mathbb {G}_{p_3}\). This is easily doable with the help of \(g \in \mathbb {G}_{p_1}\) and \(X_3 \in \mathbb {G}_{p_3}\).

Finally, \(\mathcal {B}\) picks a random bit \(b'\) and computes the SF challenge ciphertext:

$$ C'_0 = M^*_{b'} \cdot T, \quad C'_1 = (g^{s}Y_2), \quad C'_2 = (g^{s}Y_2)^{a+b\cdot \mathsf {ID}^*} \cdot v_1^{\alpha s} $$

If \(T = \hat{e}(g, g)^{a s}\), \(\mathcal {B}\) simulates Game\(_q\). Otherwise, \(\mathcal {B}\) simulates Game\(_{ final }\). If \(\mathcal {A}\) can distinguish, \(\mathcal {B}\) can break the \(\varPhi _e\)-oracle DBDH assumption.    \(\square \)

Rights and permissions

Reprints and permissions

Copyright information

© 2022 Springer Nature Switzerland AG

About this paper

Check for updates. Verify currency and authenticity via CrossMark

Cite this paper

Yuen, T.H., Zhang, C., Chow, S.S.M. (2022). Don’t Tamper with Dual System Encryption. In: Ateniese, G., Venturi, D. (eds) Applied Cryptography and Network Security. ACNS 2022. Lecture Notes in Computer Science, vol 13269. Springer, Cham. https://doi.org/10.1007/978-3-031-09234-3_21

Download citation

  • DOI: https://doi.org/10.1007/978-3-031-09234-3_21

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-031-09233-6

  • Online ISBN: 978-3-031-09234-3

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics