1 Introduction
1.1 Background
Construction | \(|{\textsf {pp}}|\) | \(|{\textsf {mk}}|\) | \({|{\textsf {ct}_{{\texttt {id}}, {\texttt {t}}}}|}\) | \({|\textsf {hk}_{{\texttt {id}}, \textsf {T}_{ \ell }({\texttt {t}}) }^{( \ell )}|}\) | \({|\textsf {dk}_{{\texttt {id}}, \textsf {T}_{ 0 }({\texttt {t}})}|}\) |
---|---|---|---|---|---|
Generic HHSI05 [30] | O(L) | O(L) | O(L) | \(O(L-\ell )\) | O(L) |
O(L) | O(L) | \(O(L)+\alpha \) | \(O(L-\ell )\) | O(L) | |
First Construction (§4) | O(1) | O(1) | O(1) | O(1) | O(1) |
O(1) | O(1) | O(1) | O(1) | O(1) | |
Second Construction (§5) | O(1) | O(1) | O(L) | \(O(L-\ell )\) | O(L) |
O(1) | O(1) | \(O(L)+\alpha \) | \(O(L-\ell )\) | O(L) |
Construction | Security | Model | Building Block | Reduction Loss | |
---|---|---|---|---|---|
Generic HHSI05 [30] | CCA | ROM | CPA-secure HIBE | O(Q) | |
CCA | Std. | CPA-secure HIBE and OTS | O(Q) | ||
First Construction (§4) | CPA | Std. | CPA-secure HIBE w/ MSK eval. | O(QL) | |
CCA | Std. | CCA-secure HIBE w/ MSK eval. | O(QL) | ||
Second Construction (§5) | CPA | Std. | CPA-secure HIBE | O(L) | |
CCA | Std. | CPA-secure HIBE and OTS | O(L) |
1.2 Our contributions
-
The first HKIBE scheme with compact master public keys in the standard model from [28] under the k-linear assumption.
Scheme | \(|{\textsf {pp}}|\) | \(|{\textsf {mk}}|\) | Assumptions | |||
---|---|---|---|---|---|---|
Concrete HHSI05 [30] (in ROM) | O(1) | O(L) | O(L) | \(O((L-\ell )^2)\) | \(O(L^2)\) | CBDH |
\(O(L^2)\) | O(L) | \(O(L)+\alpha \) | \(O(\ell (L-\ell ))\) | O(L) | SXDH OTS | |
O(L) | O(1) | \(O(L^2)+\alpha \) | \(O((L-\ell )^2)\) | \(O(L^2)\) | SXDH OTS | |
SW18 [52] w/ OTS (flawed) | O(L) | O(1) | \(O(1)+\alpha \) | \(O(\ell )\) | O(1) | SXDH OTS |
O(L) | O(1) | \(O(1)+\alpha \) | \(O(\ell )\) | O(1) | SXDH OTS | |
O(1) | O(1) | \(O(L)+\alpha \) | \(O(L-\ell )\) | O(L) | SXDH OTS |
1.3 Related work
2 Preliminaries
2.1 Notations
2.2 Hierarchical time-period map functions
2.3 HIBE
-
\(\textsf {Init}(1^{\lambda }, L) \rightarrow (\textsf {MPK}, \textsf {MSK})\): given the security parameter \(\lambda \) and the maximum hierarchical depth L, it outputs a master-key pair \((\textsf {MPK},\textsf {MSK})\).
-
\(\textsf {Enc}(\textsf {MPK}, {\texttt {ID}}, \textsf {M}) \rightarrow \textsf {C}_{ {\texttt {ID}} }\): given \(\textsf {MPK}\), user’s identity \({\texttt {ID}}\in \mathcal {I}^{|{\texttt {ID}}|}\), and a plaintext \(\textsf {M}\), it outputs a ciphertext \(\textsf {C}_{ {\texttt {ID}} }\).
-
\(\textsf {GenSK}(\textsf {MPK}, {\textsf {SK}}_{ {\texttt {ID}}' }, {\texttt {ID}}) \rightarrow {\textsf {SK}}_{ {\texttt {ID}} }\): given \(\textsf {MPK}\), a user’s secret key \({\textsf {SK}}_{ {\texttt {ID}}' }\), and an identity \({\texttt {ID}}\in \mathcal {I}^{|{\texttt {ID}}|}\) s.t. \({\texttt {ID}}\)’s parent is \({\texttt {ID}}'\), it outputs a secret key \({\textsf {SK}}_{ {\texttt {ID}} }\). The second input \({\textsf {SK}}_{ {\texttt {ID}}' }\) can be replaced by \(\textsf {MSK}\). For notational convenience, we regard \({\textsf {SK}}_{ {\texttt {ID}}_0 }\) as the master secret key (MSK) \(\textsf {MSK}\).
-
\(\textsf {Dec}(\textsf {MPK}, {\textsf {SK}}_{ {\texttt {ID}} }, \textsf {C}_{ {\texttt {ID}} }) \rightarrow \textsf {M}\): given \(\textsf {MPK}\), a secret key \({\textsf {SK}}_{ {\texttt {ID}} }\), and a ciphertext \(\textsf {C}_{ {\texttt {ID}} }\), it outputs the decryption result \(\textsf {M}\).
-
\(\textsf {SampMSK}(\textsf {MPK}) \rightarrow {\widehat{\textsf {MSK}}}\): This is the pseudo-MSK sampling algorithm that, given \(\textsf {MPK}\), outputs a pseudo-MSK \({\widehat{\textsf {MSK}}}\in \mathcal {MSK}\).
-
\(\textsf {EvalMSK}(\textsf {MPK}, {\textsf {SK}}_{ {\texttt {ID}} } [ {\widehat{\textsf {MSK}}}_1 ], {\textsf {SK}}_{ {\texttt {ID}} } [ {\widehat{\textsf {MSK}}}_2 ], \textsf {lab}) \rightarrow {\textsf {SK}}_{ {\texttt {ID}} } [ f_{\textsf {lab}}({\widehat{\textsf {MSK}}}_1, {\widehat{\textsf {MSK}}}_2) ]\): This is the MSK evaluation algorithm that, given two secret keys \({\textsf {SK}}_{ {\texttt {ID}} } [ {\widehat{\textsf {MSK}}}_1 ]\), \({\textsf {SK}}_{ {\texttt {ID}} } [ {\widehat{\textsf {MSK}}}_2 ]\) for the same \({\texttt {ID}}\in \mathcal {I}^{|{\texttt {ID}}|}\) under \({\widehat{\textsf {MSK}}}_1,{\widehat{\textsf {MSK}}}_2\in \mathcal {MSK}\), and a label \(\textsf {lab}\in \{ \mathtt {mul}, \mathtt {div} \}\), it outputs a secret key \({\textsf {SK}}_{ {\texttt {ID}} } [ f_{\textsf {lab}}({\widehat{\textsf {MSK}}}_1, {\widehat{\textsf {MSK}}}_2) ]\), where \(f_{\mathtt {mul}}({\widehat{\textsf {MSK}}}_1, {\widehat{\textsf {MSK}}}_2) = {\widehat{\textsf {MSK}}}_1 \cdot {\widehat{\textsf {MSK}}}_2\) and \(f_{\mathtt {div}}({\widehat{\textsf {MSK}}}_1, {\widehat{\textsf {MSK}}}_2) = {\widehat{\textsf {MSK}}}_1 / {\widehat{\textsf {MSK}}}_2\).
3 HKIBE
3.1 Model
-
\(\textsf {Setup}(1^{\lambda }, L) \rightarrow ({\textsf {pp}}, {\textsf {mk}})\): This is the setup algorithm that, given the security parameter \(\lambda \) and the maximum depth of the hierarchy \(L \in \mathbb {N}\), it outputs a master-key pair \(({\textsf {pp}},{\textsf {mk}})\).
-
: This is the encryption algorithm that, given \({\textsf {pp}}\), an element identity \({\texttt {id}}\in \mathcal {I}\), current time \({\texttt {t}}\in \mathcal {T}_{act}\), and a plaintext \(\textsf {M}\in \mathcal {M}\), it outputs a ciphertext .
-
: This is the helper-key generation algorithm that, given \({\textsf {pp}}\), \({\textsf {mk}}\), and an element identity \({\texttt {id}}\in \mathcal {I}\), it outputs a set of initial helper keys . The level-0 helper key is also called a decryption key and set as .
-
or \(\bot \): This is the key update information generation algorithm that, given \({\textsf {pp}}\), actual time \({\texttt {t}}\in \mathcal {T}_{act}\), and an \({\texttt {id}}\)’s level-\((\ell +1)\) helper key at a time period \(t_{\ell +1} \in \mathcal {T}_{\ell +1}\), it outputs an \({\texttt {id}}\)’s level-\(\ell \) key update at a time period if . Otherwise, it outputs \(\bot \).
-
: This is the helper key update algorithm that, given \({\textsf {pp}}\), an \({\texttt {id}}\)’s level-\(\ell \) helper key at a time period \(\tau _\ell \in \mathcal {T}_\ell \), and an \({\texttt {id}}\)’s level-\(\ell \) key update \(\textsf {ku}_{{\texttt {id}}, t_\ell }^{( \ell )}\) at a time period \(t_\ell \in \mathcal {T}_\ell \), it outputs an updated helper key at a time period \(t_\ell \).
-
or \(\bot \): This is the decryption algorithm that, given \({\textsf {pp}}\), an \({\texttt {id}}\)’s decryption key \(\textsf {dk}_{{\texttt {id}}, t_0}\) at a time period \(t_0 \in \mathcal {T}_0\), and a ciphertext , it outputs \(\textsf {M}\) or \(\bot \) which indicates decryption failure.
-
\(\textsf {ct}_{ {\texttt {id}}, {\texttt {t}}_n} \leftarrow \textsf {Encrypt}({\textsf {pp}}, {\texttt {id}}, {\texttt {t}}_n, \textsf {M})\).
-
\(( \textsf {hk}_{{\texttt {id}}, 0 }^{( \ell )} )_{\ell \in [0,L]} \leftarrow \textsf {GenHK}({\textsf {pp}}, {\textsf {mk}}, {\texttt {id}})\).
-
Let \({\texttt {t}}_0 :=0\) for simplicity. For all \(j = 1,2,\ldots , n\), execute the following procedures for \(\ell = L-1, L-2, \ldots , 0\):
-
\(\textsf {ku}_{{\texttt {id}}, \textsf {T}_{\ell }({\texttt {t}}_j) }^{( \ell )} \leftarrow \textsf {KeyUp}({\textsf {pp}}, {\texttt {t}}_j, \textsf {hk}_{{\texttt {id}}, \textsf {T}_{\ell +1}({\texttt {t}}_j) }^{( \ell +1 )})\).
-
\(\textsf {hk}_{{\texttt {id}}, \textsf {T}_\ell ({\texttt {t}}_j) }^{( \ell )} \leftarrow \textsf {Upd}({\textsf {pp}}, \textsf {hk}_{{\texttt {id}}, \textsf {T}_\ell ({\texttt {t}}_{j-1}) }^{( \ell )}, \textsf {ku}_{{\texttt {id}}, \textsf {T}_\ell ({\texttt {t}}_j) }^{( \ell )})\).
-
-
\(\textsf {M}' \leftarrow \textsf {Decrypt}({\textsf {pp}}, \textsf {dk}_{{\texttt {id}}, \textsf {T}_0({\texttt {t}}_n)}, \textsf {ct}_{ {\texttt {id}}, {\texttt {t}}_n})\).
3.2 Security
-
Helper-key generation query Upon a query \({\texttt {id}}\in \mathcal {I}\) from \(\mathcal {A}\), \({\mathcal {C}}\) checks if \(({\texttt {id}}, *) \notin \mathtt {HKList}\), and returns \(\bot \) to \(\mathcal {A}\) if this is not the case. Otherwise, \({\mathcal {C}}\) executes \(( \textsf {hk}_{{\texttt {id}}, 0 }^{( \ell )} )_{\ell \in [0,L]} \leftarrow \textsf {GenHK}({\textsf {pp}}, {\textsf {mk}}, {\texttt {id}})\) and returns nothing to \(\mathcal {A}\).We require that all identities \({\texttt {id}}\) appearing in the following queries (except the challenge query) are “activated”, in the sense that \(( \textsf {hk}_{{\texttt {id}}, 0 }^{( \ell )} )_{\ell \in [0, L]}\) is generated via this query and hence \(({\texttt {id}}, ( \textsf {hk}_{{\texttt {id}}, 0 }^{( \ell )} )_{\ell \in [0, L]}) \in \mathtt {HKList}\).
-
Initial helper-key reveal query Until the challenge query, upon a query \({\texttt {id}}\in \mathcal {I}\) from \(\mathcal {A}\), \({\mathcal {C}}\) finds \(( \textsf {hk}_{{\texttt {id}}, 0 }^{( \ell )} )_{\ell \in [0, L]}\) from \(\mathtt {HKList}\) and returns \(( \textsf {hk}_{{\texttt {id}}, 0 }^{( \ell )} )_{\ell \in [0, L]}\) to \(\mathcal {A}\). After the challenge query, \({\mathcal {C}}\) checks whether \({\texttt {id}}\ne {\texttt {id}}^\star \) and returns \(\bot \) if this is not the case. Otherwise, \({\mathcal {C}}\) returns \(( \textsf {hk}_{{\texttt {id}}, 0 }^{( \ell )} )_{\ell \in [0, L]}\) to \(\mathcal {A}\) in the same way.
-
Key-insulation query Until the challenge query, upon a query \(({\texttt {id}}, {\texttt {t}}, \ell ) \in \mathcal {I}\times \mathcal {T}_{act}\times [0,L]\) from \(\mathcal {A}\), \({\mathcal {C}}\) finds \(( \textsf {hk}_{{\texttt {id}}, 0 }^{( \ell )} )_{\ell \in [0,L]}\) from \(\mathtt {HKList}\) and runs
-
,
-
,
-
\(\mathcal {A}\) does not make the initial helper-key reveal query on \({\texttt {id}}^\star \).
-
There is a special hierarchical level \(\ell ^\star \) as explained in the key-insulation query.
4 Generic construction from HIBE with MSK evaluatability
4.1 Construction idea
4.2 Construction
-
\(\textsf {Setup}(1^{\lambda }, L) \rightarrow ({\textsf {pp}}, {\textsf {mk}})\): Run \((\textsf {MPK}, \textsf {MSK}) \leftarrow \textsf {Init}(1^{\lambda }, L+1)\), then output \({\textsf {pp}}:=\textsf {MPK}\) and \({\textsf {mk}}:=\textsf {MSK}\).
-
: Parse \({\textsf {pp}}=\textsf {MPK}\). Run
-
\(\textsf {GenHK}({\textsf {pp}}, {\textsf {mk}}, {\texttt {id}}) \rightarrow ( \textsf {hk}_{{\texttt {id}}, 0 }^{( \ell )} )_{\ell \in [0, L]}\): Parse \({\textsf {pp}}=\textsf {MPK}\) and \({\textsf {mk}}=\textsf {MSK}\). First, compute \({\widehat{\textsf {MSK}}}_{{\texttt {id}}, \ell } \leftarrow \textsf {SampMSK}(\textsf {MPK})\) for \(\ell \in [0,L-1]\). Then, for \(\ell \in [0, L]\), runNote that without loss of generality, we assume \(0 \in \mathcal {T}_{act}\) to describe initial helper keys simply. Output \(( \textsf {hk}_{{\texttt {id}}, 0 }^{( \ell )} )_{\ell \in [0, L]}\), where$$\begin{aligned} \left\{ \begin{array}{ll} {\textsf {SK}}_{ {\texttt {id}} }\!\left[ \frac{\textsf {MSK}}{\prod _{i \in [0, L-1]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}, i}} \right] \leftarrow \textsf {GenSK}\!\left( \textsf {MPK}, \frac{\textsf {MSK}}{\prod _{i \in [0, L-1]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}, i}}, {\texttt {id}} \right) \quad &{} \text {if } \ell = L,\\ {\textsf {SK}}_{ ({\texttt {id}}, \textsf {T}_{[L-1,\ell ]}(0)) }\!\left[ \frac{\textsf {MSK}}{\prod _{i \in [0, \ell -1]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}, i}} \right] \\ \qquad \qquad \qquad \leftarrow \textsf {GenSK}\!\left( \textsf {MPK}, \frac{\textsf {MSK}}{\prod _{i \in [0, \ell -1]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}, i}}, ({\texttt {id}}, \textsf {T}_{[L-1,\ell ]}(0)) \right) &{} \text {if } \ell \in [L-1],\\ {\textsf {SK}}_{ ({\texttt {id}},\textsf {T}_{[L-1,0]}(0)) }\!\left[ \textsf {MSK} \right] \leftarrow \textsf {GenSK}\!\left( \textsf {MPK}, \textsf {MSK}, ({\texttt {id}},\textsf {T}_{[L-1,0]}(0)) \right) &{} \text {if } \ell =0. \end{array} \right. \end{aligned}$$
-
\(\textsf {hk}_{{\texttt {id}}, 0 }^{( L )} :={\textsf {SK}}_{ {\texttt {id}} } \! \!\left[ \frac{\textsf {MSK}}{\prod _{i \in [0, L-1]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}, i}} \right] \),
-
\(\textsf {hk}_{{\texttt {id}}, 0 }^{( \ell )} :=\!\left( {\widehat{\textsf {MSK}}}_{{\texttt {id}}, \ell }, {\textsf {SK}}_{ ({\texttt {id}}, \textsf {T}_{[L-1,\ell ]}(0)) } \! \!\left[ \frac{\textsf {MSK}}{ \prod _{i \in [0, \ell -1]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}, i}} \right] \right) \) for \(\ell \in [L-1]\).
-
\(\textsf {hk}_{{\texttt {id}}, 0 }^{( 0 )} (= \textsf {dk}_{{\texttt {id}}, 0}) :=\!\left( {\widehat{\textsf {MSK}}}_{{\texttt {id}}, 0}, {\textsf {SK}}_{ ({\texttt {id}}, \textsf {T}_{[L-1,0]}(0)) } \right) \).
-
-
or \(\bot \): If , output \(\bot \). Otherwise, parse
-
\(\textsf {Upd}({\textsf {pp}}, \textsf {hk}_{{\texttt {id}}, \tau _\ell }^{( \ell )}, \textsf {ku}_{{\texttt {id}}, t_\ell }^{( \ell )}) \rightarrow \textsf {hk}_{{\texttt {id}}, t_\ell }^{( \ell )}\): Suppose and \(t_\ell = \textsf {T}_\ell ({\texttt {t}}')\). Parse
-
: Parse
-
.
4.3 Security
-
\({\widehat{\textsf {MSK}}}_{{\texttt {id}}_q, \ell } \leftarrow \textsf {SampMSK}(\textsf {MPK})\) for \(\ell \in [0,L-1]\)
-
\({\textsf {SK}}_{ ({\texttt {id}}_q,\textsf {T}_{[L-1,\ell ]}(0)) } \! \!\left[ \prod _{i \in [0, \ell -1]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}_q,i} \right] \leftarrow \textsf {GenSK}(\textsf {MPK}, \prod _{i \in [0, \ell -1]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}_q,i}, ({\texttt {id}}_q,\textsf {T}_{[L-1,\ell ]}(0)))\),
-
\({\textsf {SK}}_{ ({\texttt {id}}_q,\textsf {T}_{[L-1,\ell ]}(0)) } \! \!\left[ \frac{\textsf {MSK}}{\prod _{i \in [0, \ell -1]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}_q,i}} \right] \leftarrow \textsf {EvalMSK}(\textsf {MPK}, {\textsf {SK}}_{ ({\texttt {id}}_q,\textsf {T}_{[L-1,\ell ]}(0)) },\)\({\textsf {SK}}_{ ({\texttt {id}}_q,\textsf {T}_{[L-1,\ell ]}(0)) } \! \!\left[ \prod _{i \in [0, \ell -1]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}_q,i} \right] , \mathtt {div})\),
-
\(\textsf {hk}_{ {\texttt {id}}_q, 0 }^{( L )} :={\textsf {SK}}_{ {\texttt {id}}_q } \! \!\left[ \frac{\textsf {MSK}}{\prod _{i \in [0, L-1]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}_q, i}} \right] \),
-
\(\textsf {hk}_{ {\texttt {id}}_q, 0 }^{( \ell )} :=\!\left( {\widehat{\textsf {MSK}}}_{{\texttt {id}}_q, \ell }, {\textsf {SK}}_{ ({\texttt {id}}_q,\textsf {T}_{[L-1,\ell ]}(0)) } \! \!\left[ \frac{\textsf {MSK}}{\prod _{i \in [0, \ell -1]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}_q,i}} \right] \right) \) for \(\ell \in [0, L-1]\).
-
\({\textsf {SK}}_{ ({\texttt {id}}_q,\textsf {T}_{[L-1,\ell ]}(0)) } \! \!\left[ \frac{\textsf {MSK}}{\prod _{i \in [0, L-1]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}_q, i}} \right] \leftarrow \textsf {GenSK}\!\left( \textsf {MPK}, \frac{\textsf {MSK}}{\prod _{i \in [0, L-1]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}_q, i}}, ({\texttt {id}}_q,\textsf {T}_{[L-1,\ell ]}(0)) \right) \),
-
\({\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star }, \ell } \leftarrow \textsf {SampMSK}(\textsf {MPK})\) for \(\ell \in [0, L] \setminus \{\ell ^\star \}\),
-
\({\textsf {SK}}_{ ( {\texttt {id}}_{Q^\star },\textsf {T}_{[L-1,\ell ]}(0) ) } \! \!\left[ \prod _{i\in [\ell ,L]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star },i} \right] \leftarrow \textsf {GenSK}\!\left( \textsf {MPK}, \prod _{i\in [\ell ,L]} {\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star },i},( {\texttt {id}}_{Q^\star },\textsf {T}_{[L-1,\ell ]}(0) ) \right) \) for \(\ell \in [\ell ^\star +1,L]\),
-
\(\textsf {hk}_{ {\texttt {id}}_{Q^\star }, 0 }^{( \ell )} :=\!\left( {\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star },\ell }, {\textsf {SK}}_{ ( {\texttt {id}}_{Q^\star },\textsf {T}_{[L-1,\ell ]}(0) ) } \! \!\left[ \prod _{i\in [\ell ,L]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star },i} \right] \right) \) for \(\ell \in [\ell ^\star +1,L]\),
-
\({\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star }, \ell } = {\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star }, \ell }\) for \(\ell \in [0, L] \setminus \{\ell ^\star \}\),
-
\({\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star }, \ell ^\star } = \frac{\textsf {MSK}}{\prod _{i \in [0, L] \setminus \{\ell ^\star \}}{\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star }, i}}\).
-
Case for \(\ell \in [0, \ell ^{\star }-1]\): The level-\(\ell \) pseudo-MSK \(\textsf {MSK}_{{\texttt {id}}_{Q^\star }, \ell } ={\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star }, \ell }\) is created in the same way as the construction by running \(\textsf {SampMSK}\) algorithm.
-
Case for \(\ell ^\star \): The level-\(\ell ^\star \) pseudo-MSK \({\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star }, \ell ^\star }\) is created by running \(\textsf {SampMSK}\) algorithm in the construction (i.e., \({\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star }, \ell ^\star }\) is the output of \(\textsf {SampMSK}\)). In the reduction, we assume that the level-\(\ell ^\star \) pseudo-MSK is \({\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star }, \ell ^\star }=\textsf {MSK}/ \prod _{i \in [0, L-1] \setminus \{\ell ^\star \}}{\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star }, i}\) although \(\mathcal {B}_{\ell ^\star }\) does not compute it explicitly. Thanks to the pseudo-MSK indistinguishability in Def. 2, the level-\(\ell ^\star \) pseudo-MSK \({\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star }, \ell ^\star }\) follows the same distribution as the construction.
-
Case for \(\ell \in [\ell ^\star +1,L]\): First of all, the main component \({\textsf {SK}}_{ {\texttt {id}}_{Q^\star } } [ \textsf {MSK}/ \prod _{i \in [0, L-1]} {\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star }, i} ]\) of level-L helper key \(\textsf {hk}_{ {\texttt {id}}_{Q^\star }, 0 }^{( L )}\) is created by
-
\({\textsf {SK}}_{ {\texttt {id}}_{Q^\star } } \! \!\left[ \frac{\textsf {MSK}}{\prod _{i \in [0, L-1]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star }, i}} \right] \leftarrow \textsf {GenSK}\!\left( \textsf {MPK}, \frac{\textsf {MSK}}{\prod _{i \in [0, L-1]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star }, i}}, {\texttt {id}}_{Q^\star } \right) \)
-
\({\textsf {SK}}_{ ({\texttt {id}}_{Q^\star }, \textsf {T}_{ [L-1,\ell ] }({\texttt {t}})) } \! \!\left[ \prod _{i \in [0, \ell -1]} {\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star },i} \right] \leftarrow \textsf {GenSK}(\textsf {MPK}, \prod _{i \in [0, \ell -1]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star },i}, ({\texttt {id}}_{Q^\star }, \textsf {T}_{ [L-1,\ell ] }({\texttt {t}})))\),
-
\({\textsf {SK}}_{ ({\texttt {id}}_{Q^\star }, \textsf {T}_{ [L-1,\ell ] }({\texttt {t}})) } \! \!\left[ \frac{\textsf {MSK}}{\prod _{i \in [0, \ell -1]} {\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star },i}} \right] \quad \leftarrow \textsf {EvalMSK}(\textsf {MPK}, {\textsf {SK}}_{ ({\texttt {id}}_{Q^\star }, \textsf {T}_{ [L-1,\ell ] }({\texttt {t}})) }, {\textsf {SK}}_{ ({\texttt {id}}_{Q^\star }, \textsf {T}_{ [L-1,\ell ] }({\texttt {t}})) } \! \!\left[ \prod _{i \in [0, \ell -1]}{\widehat{\textsf {MSK}}}_{{\texttt {id}}_{Q^\star },i} \right] , \mathtt {div})\).
-
For all \(q \in [Q] \setminus \{Q^\star \}\), we have \({\texttt {id}}_q \notin \textsf {prefix}^+( ({\texttt {id}}^\star , \textsf {T}_{[L-1,0]}({\texttt {t}}^\star )) )\). Therefore, \(\mathcal {B}_{\ell ^\star }\) can make the HIBE secret-key reveal queries on \(({\texttt {id}}_q,\textsf {T}_{[L-1,\ell ]}(0))_{\ell \in [0,L]}\) for the helper-key generation query on \({\texttt {id}}_q\) (if \(\mathcal {B}_{\ell ^\star }\)’s guess of the number \(Q^\star \) is correct).
-
For \(q = Q^\star \) (i.e., \({\texttt {id}}_q = {\texttt {id}}_{Q^\star } = {\texttt {id}}^\star \)), \(\mathcal {A}_{\ell ^\star }\) might make a key-insulation query on \(({\texttt {id}}_{Q^\star }, \textsf {T}_{ [L-1,\ell ] }({\texttt {t}}))\) for \({\texttt {t}}\in \mathcal {T}_{act}\) and \(\ell \in [0, \ell ^\star -1]\). \(\mathcal {B}_{\ell ^\star }\) can make the HIBE secret-key generation query on \(({\texttt {id}}_{Q^\star }, \textsf {T}_{ [L-1,\ell ] }({\texttt {t}}))\) since it holds \(({\texttt {id}}_{Q^\star }, \textsf {T}_{ [L-1,\ell ] }({\texttt {t}})) \notin \textsf {prefix}^+( ({\texttt {id}}^\star , \textsf {T}_{[L-1,0]}({\texttt {t}}^\star )) )\) due to the restriction on the special level \(\ell ^\star \).12
5 Generic construction from plain HIBE
5.1 Construction idea
5.2 Construction
-
\(\textsf {Setup}(1^{\lambda }, L) \rightarrow ({\textsf {pp}}, {\textsf {mk}})\): Run \((\textsf {MPK}, \textsf {MSK}) \leftarrow \textsf {Init}(1^{\lambda }, L+1)\) and output \({\textsf {pp}}:=\textsf {MPK}\) and \({\textsf {mk}}:=\textsf {MSK}\).
-
: Parse \({\textsf {pp}}=\textsf {MPK}\). Sample \(\textsf {M}_\ell \leftarrow _R\mathcal {M}\) for \(\ell \in [L]\) and set \(\textsf {M}_0 = \textsf {M}\bigoplus _{\ell \in [L]}\textsf {M}_\ell \). Run
-
\(\textsf {GenHK}({\textsf {pp}}, {\textsf {mk}}, {\texttt {id}}) \rightarrow ( \textsf {hk}_{{\texttt {id}}, 0 }^{( 0 )} )_{\ell \in [0, L]}\): Parse \({\textsf {pp}}= \textsf {MPK}\) and \({\textsf {mk}}= \textsf {MSK}\). For \(\ell \in [0,L]\), compute \(\textsf {hk}_{{\texttt {id}}, 0 }^{( \ell )} :=( {\textsf {SK}}_{ ( i \Vert {\texttt {id}}, \textsf {T}_{[i-1,\ell ]}(0) ) } )_{i \in [\ell ,L]}\) as follows: for \(i \in [\ell , L]\), run
-
\(\textsf {KeyUp}({\textsf {pp}}, {\texttt {t}}, \textsf {hk}_{{\texttt {id}}, t_{\ell +1} }^{( \ell +1 )}) \rightarrow \textsf {ku}_{{\texttt {id}}, \textsf {T}_{ \ell }({\texttt {t}}) }^{( \ell )}\) or \(\bot \): Output \(\bot \) if \(t_{\ell +1} \ne \textsf {T}_{ \ell +1 }({\texttt {t}})\). Otherwise, parse
-
\(\textsf {Upd}({\textsf {pp}}, \textsf {hk}_{{\texttt {id}}, \tau _\ell }^{( \ell )}, \textsf {ku}_{{\texttt {id}}, t_\ell }^{( \ell )}) \rightarrow \textsf {hk}_{{\texttt {id}}, t_\ell }^{( \ell )}\): Suppose \(\tau _{\ell } = \textsf {T}_{ \ell }({\texttt {t}})\) and \(t_\ell = \textsf {T}_\ell ({\texttt {t}}')\). Parse
-
: Parse
-
\(\textsf {M}= \textsf {Dec}(\textsf {MPK}, {\textsf {SK}}_{ 0 \Vert {\texttt {id}} }, \textsf {C}_{ 0\Vert {\texttt {id}} }) \bigoplus _{\ell \in [L]}\textsf {M}_\ell \).
5.3 Security
-
the initial helper-key reveal query on \({\texttt {id}}^\star \);
-
the key-insulation query on \(({\texttt {id}}^\star ,{\texttt {t}},\ell ^\star )\) for any \({\texttt {t}}\in \mathcal {T}_{act}\);
-
the key-insulation query on \(({\texttt {id}}^\star ,{\texttt {t}},\ell )\) for any \({\texttt {t}}\in \mathcal {T}_{act}\) and any \(\ell \in [0,\ell ^\star -1]\) such that \(\textsf {T}_{ [\ell ^\star -1,\ell ] }({\texttt {t}}) = \textsf {T}_{[\ell ^\star -1,\ell ]}({\texttt {t}}^\star )\).
-
For \(\ell \in [0,L] \setminus \{\ell ^\star \}\), \(\mathcal {B}_{\ell ^\star }\) randomly chooses a level-\(\ell \) pseudo-plaintext \({\widehat{\textsf {M}}}_\ell \) and sets an HIBE ciphertext on \((\ell \Vert {\texttt {id}}^\star , \textsf {T}_{[\ell -1,0]}({\texttt {t}}^\star ))\) is an encryption of \({\widehat{\textsf {M}}}_\ell \). Similarly, \(\mathcal {B}_{\ell ^\star }\) randomly chooses a level-0 pseudo-plaintext \({\widehat{\textsf {M}}}_0\) and sets an HIBE ciphertext on \(0 \Vert {\texttt {id}}^\star \) is an encryption of \({\widehat{\textsf {M}}}_0\).
-
\(\mathcal {B}_{\ell ^\star }\) (implicitly) sets HIBE challenge ciphertext on \((\ell ^\star \Vert {\texttt {id}}^\star , \textsf {T}_{[\ell ^\star -1,0]}({\texttt {t}}^\star ))\) is an encryption of \(\textsf {M}^\star _b \bigoplus _{\ell \in [0,L] \setminus \{\ell ^\star \}}{\widehat{\textsf {M}}}_\ell \).
-
\(\textsf {C}_{ (\ell \Vert {\texttt {id}}^\star , \textsf {T}_{[\ell -1,0]}({\texttt {t}}^\star )) }^\star \leftarrow \textsf {Enc}(\textsf {MPK}, (\ell \Vert {\texttt {id}}^\star , \textsf {T}_{[\ell -1,0]}({\texttt {t}}^\star )), {\widehat{\textsf {M}}}_\ell )\) for \(\ell \in [0,L] \setminus \{\ell ^\star \}\),
-
\(\textsf {M}_\ell ={\widehat{\textsf {M}}}_\ell \) for \(\ell \in [0, L] \setminus \{\ell ^\star \}\),
-
\(\textsf {M}_{\ell ^\star } = \textsf {M}^\star _b \bigoplus _{\ell \in [0,L] \setminus \{\ell ^\star \}}{\widehat{\textsf {M}}}_\ell \),
-
The initial helper-key reveal query on \({\texttt {id}}\).
-
The key-insulation query on \(({\texttt {id}},{\texttt {t}},\ell )\).
-
Case for \(\ell \in [\ell ^\star +1,L]\): In this case, \(\textsf {hk}_{ {\texttt {id}}^\star ,\textsf {T}_{ \ell }({\texttt {t}}) }^{( \ell )}\) does not include any HIBE secret key \({\textsf {SK}}_{ (\ell ^\star \Vert {\texttt {id}}^\star , \textsf {T}_{ [\ell ^\star -1,\ell ] }({\texttt {t}})) }\), which violates the condition (3), by the construction. Therefore, \(\mathcal {B}_{\ell ^\star }\) can make HIBE secret-key reveal queries on \(\ell \Vert {\texttt {id}}\) and \((i \Vert {\texttt {id}},\textsf {T}_{ [i-1,\ell ] }({\texttt {t}}))\) for every \(i \in [\ell +1,L]\).
-
Case for \(\ell = \ell ^\star \): This case never occurs due to the restriction on \(\ell ^\star \).
-
Case for \(\ell \in [0,\ell ^\star -1]\): Since it always holds \(\textsf {T}_{ \ell }({\texttt {t}}) \ne \textsf {T}_{\ell }({\texttt {t}}^\star )\) due to the restriction on \(\ell ^\star \), and it means that such a query always meets the condition (3). \(\mathcal {B}_{\ell ^\star }\) can make HIBE secret-key reveal queries on \(\ell \Vert {\texttt {id}}\) and \((i \Vert {\texttt {id}},\textsf {T}_{ [i-1,\ell ] }({\texttt {t}}))\) for every \(i \in [\ell +1,L]\).
5.4 Achieving CCA security
-
\(\textsf {SSetup}(1^{\lambda }) \rightarrow (\textsf {sigk}, \textsf {verk})\): given the security parameter \(\lambda \), it outputs a key pair \((\textsf {sigk},\textsf {verk})\).
-
\(\textsf {Sign}(\textsf {sigk}, \textsf {M}) \rightarrow \sigma \): given the signing key \(\textsf {sigk}\) and a message \(\textsf {M}\), it outputs a signature \(\sigma \).
-
\(\textsf {Vrfy}(\textsf {verk}, \textsf {M}, \sigma ) \rightarrow \top \) or \(\bot \): given the verification key \(\textsf {verk}\), a message \(\textsf {M}\), and its signature \(\sigma \), it outputs \(\top \), which indicates “acceptance”, or \(\bot \), which indicates “rejection”.
-
: Parse \({\textsf {pp}}=\textsf {MPK}\). Generate \((\textsf {sigk},\textsf {verk}) \leftarrow \textsf {SSetup}(1^{\lambda })\). Sample \(\textsf {M}_\ell \leftarrow _R\mathcal {M}\) for \(\ell \in [L]\) and run
-
: Parse
-
\(\textsf {C}_{ (\ell \Vert {\texttt {id}}^\star , \textsf {T}_{[\ell -1,0]}({\texttt {t}}^\star ),\textsf {verk}^\star ) }^\star \leftarrow \textsf {Enc}(\textsf {MPK}, (\ell \Vert {\texttt {id}}^\star , \textsf {T}_{[\ell -1,0]}({\texttt {t}}^\star ),\textsf {verk}^\star ), {\widehat{\textsf {M}}}_\ell )\) for \(\ell \in [L]\),
-
\(\textsf {C}_{ (0 \Vert {\texttt {id}}^\star ,\textsf {verk}^\star ) }^\star \leftarrow \textsf {Enc}(\textsf {MPK}, (0 \Vert {\texttt {id}}^\star ,\textsf {verk}^\star ), \textsf {M}_b \bigoplus _{\ell \in [L]}{\widehat{\textsf {M}}}_{\ell }).\)
-
\(\textsf {C}_{ (\ell \Vert {\texttt {id}}^\star , \textsf {T}_{[\ell -1,0]}({\texttt {t}}^\star ),\textsf {verk}^\star ) } \leftarrow \textsf {Enc}(\textsf {MPK}, (\ell \Vert {\texttt {id}}^\star , \textsf {T}_{[\ell -1,0]}({\texttt {t}}^\star ),\textsf {verk}^\star ), {\widehat{\textsf {M}}}_\ell )\) for \(\ell \in [0,L] \setminus \{\ell ^\star \}\),
-
\(\sigma ^\star \leftarrow \textsf {Sign}(\textsf {sigk}^\star , ( \textsf {C}_{ (\ell \Vert {\texttt {id}}^\star , \textsf {T}_{[\ell -1,0]}({\texttt {t}}^\star ),\textsf {verk}^\star ) } )_{\ell \in [0,L]})\).
-
\(\textsf {M}_\ell ={\widehat{\textsf {M}}}_\ell \) for \(\ell \in [0, L] \setminus \{\ell ^\star \}\),
-
\(\textsf {M}_{\ell ^\star } = \textsf {M}^\star _b \bigoplus _{\ell \in [0,L] \setminus \{\ell ^\star \}}{\widehat{\textsf {M}}}_\ell \) for \(b \in \{0,1\}\).