Anonymous (Hierarchical) Identity-Based Encryption from Broader Assumptions

Abstract

Döttling and Garg (CRYPTO 2017) introduced a non-black-box approach to identity-based encryption (IBE). This paves the way for the first and still the only anonymous IBE (AIBE) scheme from the computational Diffie–Hellman (CDH) assumption of Brakerski et al. (EUROCRYPT 2018). This paper revisits the blinding technique of Brakerski et al. and introduces a suite of blind primitives, extending chameleon encryption, hash encryption, and one-time signature with encryption. Using them, we propose an AIBE scheme from CDH with improved efficiency compared to Brakerski et al., especially in the decryption time. We also propose the first anonymous hierarchical IBE (AHIBE) scheme from CDH and the first AIBE and AHIBE schemes from the \(\phi \)-hiding assumption, with similar efficiency as their non-anonymous counterparts.

Sherman Chow is supported in part by the General Research Funds (CUHK 14210621 and 14209918), University Grants Committee, Hong Kong.

A Proof of Security

1.1 A.1 Proof of Theorem 3

Proof

Let \(\bar{{\textsf{ct}}}_1={\textsf{E}}_1(k, i; \rho ) = (i, c=g^\rho , (c_{j, b'}) = (g_{j, b'}^\rho )_{j\in [n]\backslash \{i\}, b'\in \{0, 1\}})\), \(\bar{{\textsf{ct}}}_2={\textsf{E}}_2(k, (h, i, b), m; \rho )=m\oplus {\textsf{HardCore}}(\frac{h^\rho }{g_{i, b}^\rho })\). It is obvious that \(\bar{{\textsf{ct}}}_1\) is independent of h, b, and \(m\). As \({\textsf{HardCore}}(\frac{h^\rho }{g_{i, b}^\rho })\) is deterministic given \(\bar{{\textsf{ct}}}_1\), we have that \(\bar{{\textsf{ct}}}_2\) is random as long as \(m\) is random. It follows that any adversary will have exactly 1/2 probability of winning the IND-BLIND game.    \(\square \)

1.2 A.2 Proof of Theorem 5

Proof

Suppose \(\mathcal A\) is an efficient adversary playing the IND-ID-CPA security game. We will show that the advantage of \(\mathcal A\) is negligible with a sequence of hybrids. Let q be a polynomial upper bound on the runtime of \(\mathcal A\), and thus also an upper bound for the number of \(\mathcal A\)’s key queries.

• \(G_{\textsf{real}}\): This game is the original security game, as shown in Definition 4.

• \(G_0\): This game is identical to \(G_{\textsf{real}}\) except that all pseudorandom function calls are responded to using a truly random function.

• \(G_\tau \) for \(\tau \in [1, n]\): For every \(\tau \), this game is identical to \(G_0\) except in how the challenge ciphertext is generated. Recall that the challenge ciphertext contains a sequence of \(n + 1\) garbled circuits. In \(G_\tau \), we generate the first \(\tau \) of these garbled circuits using the simulator provided by the garbled circuit construction. More formally, to compute a challenge ciphertext for identity \({\textsf{id}}^*\), the first \(\tau \) garbled circuits are generated as follows:

  • For \(i = \tau -1, \ldots , 0\), parse \(\bar{Y}^{(i+1)}=(Y^{(i+1)}_{j, b})_{j, b}\), compute \((\tilde{{\textsf{Q}}}^{(i)}, (Y^{(i)}_{j})_{j}) \leftarrow {\mathcal{G}\mathcal{C}}.{\textsf{Sim}}(1^\lambda , {\textsf{BatchEnc}}(k_{i},h_{i}, {\textsf{id}}^*[{i+1}], ({Y}^{(i+1)}_{j,h_{i+1}[j]},{Y}^{(i+1)}_{j,h_{i+1}[j]})_j; \bar{\rho }^{(i+1)}))\), and set \(\bar{Y}^{(i)}=(Y^{(i)}_{j},Y^{(i)}_{j})_{j}\).

  We note that we can always generate \((h_i, x_i, r_i)\) for \(i\in [0, n-1]\) locally.

• \(G_{n+1}\): This game is identical to \(G_n\) except that we generate the (\(n+1\))-th garbled circuit using the simulator provided by the garbled circuit construction. More formally, to compute a challenge ciphertext for identity \({\textsf{id}}^*\), the (\(n+1\))-th garbled circuit is generated as follows:

  • For \(i = n\), compute

    $$(\tilde{{\textsf{T}}}, (Y^{(i)}_{j})_{j})\leftarrow {\mathcal{G}\mathcal{C}}.{\textsf{Sim}}(1^\lambda , {\mathcal {PKE}}.{\textsf{E}}_2({\textsf{pp}}^{\mathcal {PKE}}, {\textsf{lpk}}_{{\textsf{id}}^*}, m_\zeta ; \rho ')),$$

    and set \(\bar{Y}^{(i)}=(Y^{(i)}_{j},Y^{(i)}_{j})_{j}\).

  We note that even though the adversary is not allowed to query for \({\textsf{sk}}_{{\textsf{id}}^*}\), we can always generate \({\textsf{lpk}}_{{\textsf{id}}^*}\) locally.

• \(G_{\textsf{final}}\): This game is identical to \(G_{n+1}\) except that we change the ciphertext \({\mathcal {PKE}}.{\textsf{E}}_2({\textsf{pp}}^{\mathcal {PKE}}, {\textsf{lpk}}_{{\textsf{id}}^*}, m_\zeta ; \rho ')\) hardwired in the simulated garbling of the circuit \({\textsf{T}}\) to be \({\mathcal {PKE}}.{\textsf{E}}_2({\textsf{pp}}^{\mathcal {PKE}}, {\textsf{lpk}}_{{\textsf{id}}^*}, 0; \rho ')\).

The indistinguishability between \(G_{\textsf{real}}\) and \(G_0\) follows directly from the pseudorandomness property of \({\mathcal {F}}\). The indistinguishability between \(G_\tau \) and \(G_{\tau +1}\) for \(\tau \in [0, n-1]\) is proved in Lemma 1. The indistinguishability between \(G_n\) and \(G_{n+1}\) follows from the simulation security of \({\mathcal{G}\mathcal{C}}\). The indistinguishability between \(G_{n+1}\) and \(G_{\textsf{final}}\) follows from the IND-CPA security and the blindness security of \({\mathcal {PKE}}\). Finally, \(G_{\textsf{final}}\) is information-theoretically independent of the message \(m_\zeta \), in which \(\mathcal A\) gains no advantage.    \(\square \)

Lemma 1

\(G_{\tau }\) and \(G_{\tau +1}\), \(\tau \in [0, n-1]\), are computationally indistinguishable.

Proof

We describe a sequence of hybrid games.

• \(H_{\tau , 1}\): This game is identical to \(G_{\tau }\) except that we change the generation process of the (\(\tau +1\))-th garbled circuit

  $$(\tilde{{\textsf{Q}}}^{(\tau )}, \bar{Y}^{(\tau )})\leftarrow {\mathcal{G}\mathcal{C}}.{\textsf{Garble}}(1^\lambda , {\textsf{Q}}[k_{\tau }, {\textsf{id}}^*[{\tau +1}], \bar{Y}^{(\tau +1)}, \bar{\rho }^{(\tau +1)}]),$$

  where \(\bar{Y}^{(\tau )}=(Y^{(\tau )}_{j, b})_{j, b}\), to

  $$(\tilde{{\textsf{Q}}}^{(\tau )}, (Y^{(\tau )}_{j})_{j})\leftarrow {\mathcal{G}\mathcal{C}}.{\textsf{Sim}}(1^\lambda , {\textsf{BatchEnc}}(k_{\tau },h_{\tau }, {\textsf{id}}^*[{\tau +1}], \bar{Y}^{(\tau +1)}; \bar{\rho }^{(\tau +1)})),$$

  and set \(\bar{Y}^{(\tau )}=(Y^{(\tau )}_{j},Y^{(\tau )}_{j})_{j}\). When making the change, we are free to compute \(h_\tau \) and respond to any key queries as we possess the trapdoors of \({\mathcal{C}\mathcal{E}}\) and secret keys of \({\mathcal {PKE}}\).

• \(H_{\tau , 2}\): This game is identical to \(H_{\tau , 1}\) except that we change how the values \(h_v\) and \(r_v\) for \(v \in \{0, 1\}^\tau \) are calculated when responding to the adversary’s key query. Recall that in \(G_\tau \), \(h_v\) is computed as \({\mathcal{C}\mathcal{E}}.{\textsf{H}}(k_\tau , 0^{2l}; {\mathcal {F}}(s, v))\), and \(r_v\) is computed as \({\mathcal{C}\mathcal{E}}.{\textsf{H}}^{-1}({t_\tau , (0^{2l}, {\mathcal {F}}(s, v)), x_v})\). In \(H_{\tau , 1}\), we choose \(r_v\) uniformly and compute \(h_v={\mathcal{C}\mathcal{E}}.{\textsf{H}}(k_\tau , x_v; r_v)\).

• \(H_{\tau , 3}\): This game is identical to \(H_{\tau , 2}\) except that we change the generation process of the (\(\tau +1\))-th garbled circuit:

  $$(\tilde{{\textsf{Q}}}^{(\tau )}, (Y^{(\tau )}_{j})_{j}) \leftarrow {\mathcal{G}\mathcal{C}}.{\textsf{Sim}}(1^\lambda , {\textsf{BatchEnc}}(k_{\tau },h_{\tau }, {\textsf{id}}^*[{\tau +1}], \bar{Y}^{(\tau +1)}; \bar{\rho }^{(\tau +1)})),$$

  to \((\tilde{{\textsf{Q}}}^{(\tau )}, (Y^{(\tau )}_{j})_{j}) \)

  $$\leftarrow {\mathcal{G}\mathcal{C}}.{\textsf{Sim}}(1^\lambda , {\textsf{BatchEnc}}(k_{\tau },h_{\tau }, {\textsf{id}}^*[{\tau +1}], ({Y}^{(\tau +1)}_{j,h_{\tau +1}[j]},{Y}^{(\tau +1)}_{j,h_{\tau +1}[j]})_j; \bar{\rho }^{(\tau +1)})).$$

  When making the change, we do not generate \((k_\tau , t_\tau )\) by ourselves. Instead, we obtain \(k_\tau \) from a \({\mathcal{C}\mathcal{E}}\) experiment. The output of the \({\textsf{BatchEnc}}\) function (i.e., the “correct” set of the recipient-dependent CE encryptions) and the “correct” set of the recipient-independent CE encryptions are returned by the \({\mathcal{C}\mathcal{E}}\) experiment. We note that despite the fact that 2l randomnesses are input into the \({\textsf{BatchEnc}}\) function, only l randomnesses are used to generate the “correct” set of recipient-dependent CE encryptions. Thus the challenger is free to newly generate l randomnesses to compute the “fake” set of the recipient-independent CE encryptions with the new randomnesses. Besides, any key queries can be responded to using the method described in \(H_{\tau , 2}\).

• \(H_{\tau , 4}\): This game is identical to \(H_{\tau , 3}\) except that we calculated \(h_v\) and \(r_v\) as in the original scheme.

The indistinguishability of hybrids \(G_{\tau }\) and \(H_{\tau , 1}\) follows from the simulation security of \({\mathcal{G}\mathcal{C}}\). The indistinguishability of hybrids \(H_{\tau , 1}\) and \(H_{\tau , 2}\) follows from the trapdoor collision and uniformity properties of \({\mathcal{C}\mathcal{E}}\). The indistinguishability of hybrids \(H_{\tau , 2}\) and \(H_{\tau , 3}\) follows from the IND security and the blindness security of \({\mathcal{C}\mathcal{E}}\). The indistinguishability of hybrids \(H_{\tau , 3}\) and \(H_{\tau , 4}\) follows from the trapdoor collision and uniformity properties of \({\mathcal{C}\mathcal{E}}\). Finally, \(H_{\tau , 4}\) is identical to \(G_{\tau +1}\).    \(\square \)

1.3 A.3 Proof of Theorem 6

Proof

\({\textsf{Enc}}({\textsf{mpk}}, {\textsf{id}}, m;(\rho ', \bar{\rho }^{(1)}, \ldots , \bar{\rho }^{(n)}))\) can be decomposed into \({\textsf{E}}_1\) and \({\textsf{E}}_2\):

\({\textsf{E}}_1({\textsf{mpk}};(\rho ', \bar{\rho }^{(1)}, \ldots , \bar{\rho }^{(n)}))=({\textsf{ct}}^{(0)}, \ldots , {\textsf{ct}}^{(n)})\), \({\textsf{E}}_2({\textsf{mpk}}, {\textsf{id}}, m;(\rho ', \bar{\rho }^{(1)}, \ldots , \bar{\rho }^{(n)})) = (\tilde{{\textsf{Q}}}^{(0)}, \ldots , \tilde{{\textsf{Q}}}^{(n-1)}, \tilde{{\textsf{T}}}, \tilde{Y}^{(0)})\). Suppose that \(\mathcal A\) is an efficient adversary playing the IND-BLIND-ID-CPA security game. Let q be a polynomial upper bound on the runtime of \(\mathcal A\), and thus also an upper bound for the number of \(\mathcal A\)’s key queries. We will show that \(\mathcal A\) gains a negligible advantage in the IND-BLIND-ID-CPA security game, using a sequence of hybrid games. Note that in the hybrids, we only make changes when \(\zeta =0\), i.e., the challenge ciphertext \({\textsf{ct}}=(\bar{{\textsf{ct}}}_1, \bar{{\textsf{ct}}}_2)\). In particular, we will act as the game challenger and interact with \(\mathcal A\).

• \(G_{\textsf{real}}\): This game is the original security game, as shown in Definition 14.

• \(G_0, \ldots , G_{n+1}\) are defined analogously as in Appendix A.2.

• \(G'_{\tau }\) for \(\tau \in [0, n]\): This game is identical to \(G_{n+1}\) except in how the challenge ciphertext is generated. Recall that in \(G_{n+1}\), we generate the (\(i+1\))-th garbled circuit as \({\mathcal{G}\mathcal{C}}.{\textsf{Sim}}(1^\lambda , \cdot )\rightarrow (\tilde{{\textsf{Q}}}^{(i)}, (Y^{(i)}_{j})_{j})\) and set \(\bar{Y}^{(i)}=(Y^{(i)}_{j},Y^{(i)}_{j})_{j}\). (When \(i = n\), the generated garbled circuit is \(\tilde{{\textsf{T}}}\), here we abuse the notion of \(\tilde{{\textsf{Q}}}^{(i)}\) for convenience.) In this game, to compute a challenge ciphertext for identity \({\textsf{id}}^*\), the last (\(n+1-\tau \)) garbled circuits are generated as follows:

  • For \(i=n\), we replace \((\tilde{{\textsf{T}}}, (Y^{(i)}_{j})_{j})\) with a uniformly random string of the same length.

  • For \(i = n-1, \ldots , \tau \), we replace \((\tilde{{\textsf{Q}}}^{(i)}, (Y^{(i)}_{j})_{j})\) with a uniformly random string of the same length.

The indistinguishability of \(G'_{n}\) and \(G_{n+1}\) is proved in Lemma 2. The indistinguishability of \(G'_{\tau +1}\) and \(G'_{\tau }\) for \(\tau \in [0, n-1]\) is proved in Lemma 3. In \(G_0'\), \(\mathcal A\) will have no advantage in winning the IND-BLIND-ID-CPA security game.    \(\square \)

Lemma 2

\(G_{n+1}\) and \(G'_{n}\) are computationally indistinguishable.

Proof

We describe a hybrid game:

• \(H'_{n+1}\): This game is identical to \(G_{n+1}\) except that we change the ciphertext hardwired in the simulated garbling of the (\(n+1\))-th garbled circuit from

  $$(\tilde{{\textsf{T}}}, (Y^{(n)}_{j})_{j})\leftarrow {\mathcal{G}\mathcal{C}}.{\textsf{Sim}}(1^\lambda , {\mathcal {PKE}}.{\textsf{E}}_2({\textsf{pp}}^{\mathcal {PKE}}, {\textsf{lpk}}_{{\textsf{id}}^*}, m; \rho ')),$$

  to

  $$(\tilde{{\textsf{T}}}, (Y^{(n)}_{j})_{j})\leftarrow {\mathcal{G}\mathcal{C}}.{\textsf{Sim}}(1^\lambda , \mathcal {U}),$$

  where \(\mathcal {U}\) is sampled uniformly at random from the output space of \({\mathcal {PKE}}.{\textsf{E}}_2()\).

The indistinguishability of \(G_{n+1}\) and \(H'_{n+1}\) follows from the IND-BLIND security of \({\mathcal {PKE}}\). The indistinguishability of \(H'_{n+1}\) and \(G'_{n}\) follows from the IND-BLIND security of \({\mathcal{G}\mathcal{C}}\).    \(\square \)

Lemma 3

\(G'_{\tau +1}\) and \(G'_{\tau }\) are computationally indistinguishable, \(\forall \tau \in [0, n-1]\).

Proof

We describe a sequence of hybrid games.

• \(H'_{\tau +1, 1}\): This game is identical to \(G'_{\tau +1}\) except that we calculate values \(h_v\) and \(r_v\) for \(v \in \{0, 1\}^{\tau }\) as in \(H_{\tau , 1}\).

• \(H'_{\tau +1, 2}\): It is identical to \(H'_{\tau +1, 1}\) except that we change the ciphertext hardwired in the simulated garbling of the (\(\tau +1\))-th garbled circuit: \((\tilde{{\textsf{Q}}}^{(\tau )}, (Y^{(\tau )}_{j})_{j})\)

  $$\leftarrow {\mathcal{G}\mathcal{C}}.{\textsf{Sim}}(1^\lambda , {\textsf{BatchEnc}}(k_{\tau },h_{\tau }, {\textsf{id}}^*[{\tau +1}], ({Y}^{(\tau +1)}_{j,h_{\tau +1}[j]},{Y}^{(\tau +1)}_{j,h_{\tau +1}[j]})_j; \bar{\rho }^{(\tau +1)})),$$

  to

  $$(\tilde{{\textsf{Q}}}^{(\tau )}, (Y^{(\tau )}_{j})_{j})\leftarrow {\mathcal{G}\mathcal{C}}.{\textsf{Sim}}(1^\lambda , \mathcal {U}),$$

  where \(\mathcal {U}\) is sampled uniformly at random from the output space of \({\textsf{BatchEnc}}()\). We note that when making the change, we do not generate \((k_{\tau }, t_{\tau })\) by ourselves. Instead, we obtain \(k_{\tau }\) from a \({\mathcal{C}\mathcal{E}}\) experiment. Although \(t_{\tau }\) is not given to us, we can compute \(h_\tau \) and respond to any key queries using the method described in \(H'_{\tau +1, 1}\).

• \(H_{\tau +1, 3}\): This game is identical to \(G''_{\tau +1, 2}\) except that we calculate values \(h_v\) and \(r_v\) as in the original scheme.

• \(H'_{\tau +1, 4}\): It is identical to \(H'_{\tau +1, 3}\) except that we change the generation process of the (\(\tau +1\))-th garbled circuit in the challenge ciphertext. In particular, we set \((\tilde{{\textsf{Q}}}^{(i)}, (Y^{(\tau )}_{j})_{j})\) as a uniformly random string of the same length.

The indistinguishability of \(G'_{\tau +1}\) and \(H'_{\tau +1, 1}\) follows from the trapdoor collision and uniformity properties of \({\mathcal{C}\mathcal{E}}\). The indistinguishability of \(H'_{\tau +1, 1}\) and \(H'_{\tau +1, 2}\) follows from the IND-BLIND security of \({\mathcal{C}\mathcal{E}}\). The indistinguishability of \(H'_{\tau +1, 2}\) and \(H'_{\tau +1, 3}\) follows from the trapdoor collision and uniformity properties of \({\mathcal{C}\mathcal{E}}\). The indistinguishability of \(H'_{\tau +1, 3}\) and \(H'_{\tau +1, 4}\) for \(\tau \in [0, n]\) follows from the IND-BLIND security of \({\mathcal{G}\mathcal{C}}\). We note that \(H'_{\tau +1, 4}\) is identical to \(G'_{\tau }\).    \(\square \)

1.4 A.4 Proof of Theorem 9

Proof

\({\textsf{Enc}}({\textsf{pp}}, ({\textsf{vk}}, i, b), m; r=(\rho , \{\rho _{j, b'}\}_{j\in [l'], b'\in \{0, 1\}}))\) can be decomposed into two parts: \({\textsf{E}}_1({\textsf{pp}}, i; r)=({\textsf{ct}}', \{{\textsf{ct}}'_{j, b'}\}_{j, b'})\), \({\textsf{E}}_2({\textsf{pp}}, ({\textsf{vk}}, i, b), m; r)=(\tilde{{\textsf{C}}}, \{{\textsf{ct}}''_{j, b'}\}_{j, b'})\). Suppose that \(\mathcal A\) is an efficient adversary playing the sel-IND-BLIND security game. We will show that \(\mathcal A\) gains a negligible advantage in the sel-IND-BLIND security game, using a sequence of hybrid games. In the hybrids, we only make changes when \(\zeta =0\), i.e., the challenge ciphertext \({\textsf{ct}}=(\bar{{\textsf{ct}}}_1, \bar{{\textsf{ct}}}_2)\). In particular, we will act as the game challenger and interact with \(\mathcal A\).

• \(G_{\textsf{real}}\): This game is the original security game, as shown in Definition 15.

• \(G_{0}\): This game is identical to the game \(H_{2}\) in [18, Theorem 6]. Specifically, the recipient-dependent part of the challenge ciphertext is generated as \((\tilde{{\textsf{C}}}, (Y_{j, {\mathcal{N}\mathcal{C}}.{\textsf{vk}}_j})_{j})\leftarrow {\mathcal{G}\mathcal{C}}.{\textsf{Sim}}(1^\lambda , {\mathcal{N}\mathcal{C}}.{\textsf{E}}_2({\mathcal{N}\mathcal{C}}.{\textsf{pp}}, ({\mathcal{N}\mathcal{C}}.{\textsf{vk}}, i, b), m; \rho ))\), \({\textsf{ct}}''_{j, b'}\leftarrow {\mathcal{C}\mathcal{E}}.{\textsf{E}}_2(k, (h,j, b'),Y_{j, {\mathcal{N}\mathcal{C}}.{\textsf{vk}}_j}; \rho _{j, b'})\) for \(j\in [l'], b'\in \{0, 1\}\).

• \(G_1\): This game is identical to \(G_{0}\) except in how the challenge ciphertext is generated. In particular, we compute \((\tilde{{\textsf{C}}}, (Y_{j, {\mathcal{N}\mathcal{C}}.{\textsf{vk}}_j})_{j})\) as \({\mathcal{G}\mathcal{C}}.{\textsf{Garble}}(1^\lambda , \mathcal {U})\) where \(\mathcal {U}\) is sampled uniformly at random from the output space of \({\mathcal{N}\mathcal{C}}.{\textsf{E}}_2( {\mathcal{N}\mathcal{C}}.{\textsf{pp}}, (h, i, b), m; \rho )\).

• \(G_2\): This game is identical to \(G_{1}\) except in how the challenge ciphertext is generated. In particular, we replace \((\tilde{{\textsf{C}}}, (Y_{j, {\mathcal{N}\mathcal{C}}.{\textsf{vk}}_j})_{j})\) by a uniformly random string of the same length.

• \(G_3\): This game is identical to \(G_{2}\) except in how the challenge ciphertext is generated. In particular, we replace \({\textsf{ct}}''_{j, b'}\) for \(j\in [l'], b'\in \{0, 1\}\) by uniformly random strings of the same length.

The indistinguishability of \(G_{\textsf{real}}\) and \(G_0\) is proved [18, Theorem 6] and thus omitted. The indistinguishability of \(G_0\) and \(G_1\) follows from the sel-IND-BLIND security of \({\mathcal{N}\mathcal{C}}\). The indistinguishability of \(G_1\) and \(G_2\) follows from the IND-BLIND security of \({\mathcal{G}\mathcal{C}}\). The indistinguishability of \(G_2\) and \(G_3\) follows from the IND-BLIND security of \({\mathcal{C}\mathcal{E}}\). In \(G_3\), \(\mathcal A\) will have no advantage in winning the sel-IND-BLIND security game.

1.5 A.5 Proof of Theorem 10

Proof

Consider an adversary \(\mathcal A\) playing the sel-IND-ANON-ID-CPA security game of HIBE; \(\mathcal A\) is eventually given a challenge \({\textsf{ct}}\leftarrow {\textsf{Enc}}({\textsf{mpk}}, {\textsf{id}}_\zeta , m)\), where \(({\textsf{id}}_0, {\textsf{id}}_1, m)\) are chosen by \(\mathcal A\). We note that \({\textsf{id}}_0\) and \({\textsf{id}}_1\) are restricted to the same length. For each \(\zeta \in \{0, 1\}\), it is certainly the case that \(\mathcal A\) cannot distinguish whether it was given \({\textsf{ct}}_{{\textsf{id}}_\zeta , m} \leftarrow {\textsf{Enc}}({\textsf{mpk}}, {\textsf{id}}_\zeta , m)\) or \({\textsf{ct}}_{{\textsf{id}}_\zeta , m^*}\leftarrow {\textsf{Enc}}({\textsf{mpk}}, {\textsf{id}}_\zeta , m^*)\), where \(m^*\xleftarrow []{{\$}}\mathcal M\); this follows from sel-IND-ID-CPA security of HIBE. Additionally, by sel-IND-BLIND-ID-CPA security of HIBE, \(\mathcal A\) also cannot distinguish whether it is given \({\textsf{ct}}_{{\textsf{id}}_\zeta , m^*}\) as above or \({\textsf{ct}}'_{{\textsf{id}}_\zeta , m^*} = {\textsf{E}}_1({\textsf{mpk}},|{\textsf{id}}_\zeta |; \rho )\Vert \mathcal {U}\) for \(\rho \xleftarrow []{{\$}}\mathcal R\), \(\mathcal {U}\xleftarrow []{{\$}}\{0, 1\}^{|{\textsf{E}}_2({\textsf{mpk}}, {\textsf{id}}_\zeta , m^*; \rho )|}\). As \({\textsf{ct}}'_{{\textsf{id}}_0, m^*}\) and \({\textsf{ct}}'_{{\textsf{id}}_1, m^*}\) are drawn from identical distributions, we conclude that \(\mathcal A\) cannot distinguish whether it is given \({\textsf{ct}}_{{\textsf{id}}_0, m}\) or \({\textsf{ct}}_{{\textsf{id}}_1, m}\), as desired.    \(\square \)

1.6 A.6 Proof of Theorem 12

Proof

The encryption algorithm \({\textsf{Enc}}({\textsf{mpk}}, {\textsf{id}}, m; r=(\rho '', \bar{\rho }', \bar{\rho }^{(n-1)}, \ldots , \bar{\rho }^{(0)}))\) of our scheme can be decomposed into two parts: \({\textsf{E}}_1({\textsf{mpk}}; r)=({\textsf{ct}}^{(0)}, \ldots , {\textsf{ct}}^{(n)}, {\textsf{ct}}'')\), \({\textsf{E}}_2({\textsf{mpk}}, {\textsf{id}}, m; r)=(\tilde{{\textsf{Q}}}^{(0)}, \ldots , \tilde{{\textsf{Q}}}^{(n)}, \tilde{{\textsf{T}}}, \tilde{Y}^{(0)})\). Suppose that \(\mathcal A\) is an efficient adversary playing the sel-IND-BLIND-ID-CPA security game. We will show that \(\mathcal A\) gains a negligible advantage in the sel-IND-BLIND-ID-CPA security game, using a sequence of hybrid games. We note that in the hybrid games, we only make changes when \(\zeta =0\), i.e., the challenge ciphertext \({\textsf{ct}}=(\bar{{\textsf{ct}}}_1, \bar{{\textsf{ct}}}_2)\). In particular, we will act as the game challenger and interact with \(\mathcal A\).

• \(G_{\textsf{real}}\): This game is the original security game, as shown in Definition 16.

• \(G_{0}\): It is identical to \(H_{2n^*+3}\) in [15, Theorem 4]. Specifically, the PRF function is modified such that all key queries can be responded by the challenger without knowing the trapdoor values \(t_v\) \(\forall v \in \{\epsilon , {\textsf{id}}^*[\le 1], \ldots , {\textsf{id}}^*[\le n-1]\}\). The recipient-dependent part of the challenge ciphertext is generated as:

  Compute \((\tilde{{\textsf{T}}}, (Y^{\textsf{T}}_j)_j)\leftarrow {\mathcal{G}\mathcal{C}}.{\textsf{Sim}}(1^\lambda , {\mathcal {PKE}}.{\textsf{E}}_2({\textsf{pp}}^{\mathcal {PKE}}, {\textsf{lpk}}_{{\textsf{id}}^*}, m; \rho ''))\).

  For \(i = n, \ldots , 0\):

  If \(i = n\):

  Compute \((\tilde{{\textsf{Q}}}^{(n)}, (Y^{(n)}_j)_j)\)

  \(\leftarrow {\mathcal{G}\mathcal{C}}.{\textsf{Sim}}(1^\lambda , {\textsf{Q}}_{\textsf{last}}[{\mathcal {OTSE}}.{\textsf{pp}}, (Y^{\textsf{T}}_j,Y^{\textsf{T}}_j)_j, {\bar{\rho }'}]({\textsf{vk}}_{v_{{\textsf{id}}^*[\le n]}}))\).

  Else:

  Compute \((\tilde{{\textsf{Q}}}^{(i)}, (Y^{(i)}_j)_j)\)

  \(\leftarrow {\mathcal{G}\mathcal{C}}.{\textsf{Sim}}(1^\lambda , {\textsf{Q}}[{\mathcal {OTSE}}.{\textsf{pp}}, {\textsf{id}}_{i+1}, (Y^{(i+1)}_j,Y^{(i+1)}_j)_j, \bar{\rho }^{(i+1)}]({\textsf{vk}}_{v_{{\textsf{id}}^*[\le i]}}))\).

• \(G_{0, 2}\): This game is identical to \(G_{0}\) except in how the challenge ciphertext is generated. In particular, we compute \((\tilde{{\textsf{T}}}, (Y^{\textsf{T}}_j)_j)\) as \({\mathcal{G}\mathcal{C}}.{\textsf{Sim}}(1^\lambda , \mathcal {U})\), where \(\mathcal {U}\) is sampled uniformly at random from the output space of \({\mathcal {PKE}}.{\textsf{E}}_2()\).

• \(G_{0, 1}\): This game is identical to \(G_{0, 2}\) except in how the challenge ciphertext is generated. In particular, we replace \((\tilde{{\textsf{T}}}, (Y^{\textsf{T}}_j)_j)\) by a uniformly random string of the same length.

• \(G_{\tau , 2}\) for \(\tau \in [1, n]\): It is identical to \(G_{\tau -1, 1}\) except for the challenge ciphertext. Particularly, we compute \((\tilde{{\textsf{Q}}}^{(n-\tau +1)}, (Y^{(n-\tau +1)}_j)_j)\) as \({\mathcal{G}\mathcal{C}}.{\textsf{Sim}}(1^\lambda , \mathcal {U}_1)\) if \(\tau =1\) or \({\mathcal{G}\mathcal{C}}.{\textsf{Sim}}(1^\lambda , \mathcal {U}_2)\) otherwise, where \(\mathcal {U}_1\) and \(\mathcal {U}_2\) are sampled uniformly at random from the output space of \({\textsf{Q}}_{\textsf{last}}(\cdot )\) and \({\textsf{Q}}(\cdot )\) respectively.

• \(G_{\tau , 1}\) for \(\tau \in [1, n]\): This game is identical to \(G_{\tau , 2}\) except in how the challenge ciphertext is generated. In particular, we replace \((\tilde{{\textsf{Q}}}^{(n-\tau +1)}, (Y^{(n-\tau +1)}_j)_j)\) by a uniformly random string of the same length.

The indistinguishability of \(G_{\textsf{real}}\) and \(G_{0}\) is proved in  [15, Theorem 4] and thus omitted here. The indistinguishability of \(G_{0}\) and \(G_{0, 2}\) follows from the IND-BLIND security of \({\mathcal {PKE}}\). The indistinguishability of \(G_{\tau , 2}\) and \(G'_{\tau , 1}\) for \(\tau \in [0, n]\) follows from the IND-BLIND security of \({\mathcal{G}\mathcal{C}}\). The indistinguishability of \(G_{\tau -1, 1}\) and \(G'_{\tau , 2}\) for \(\tau \in [1, n]\) follows from the sel-IND-BLIND security of \({\mathcal {OTSE}}\). In \(G_{n, 1}\), \(\mathcal A\) will have no advantage in winning the sel-IND-BLIND-ID-CPA security game. We note that in all of the above games, the challenger is free to answer the key queries with the modified PRF.    \(\square \)