the importance of BB-(H)IBE lies in the fact that the algebraic techniques intro- duced in the construction and security reduction turned out to be extremely useful in later works.
The other construction that we describe is a HIBE scheme due to Boneh, Boyen and Goh [35]. This provided a HIBE scheme where the size of the ciphertext does not depend on the number of components in the identity tuple. Such a scheme can be called a constant size ciphertext HIBE scheme. (Note, however, that the size of the ciphertext still does depend on the targeted security level, since the security level determines the size of the underlying groups and hence the length of representation of the group elements.)
where s is a random element ofZZp. Note that the length of the ciphertext depends on the length of the identity.
Decrypt: Decrypt C= (A,B,C1, . . . ,Cj)using the private key did= (d0,d1, . . . ,dj) as
A×∏i=1j e(Ci,di) e(B,d0) .
Note that for a proper ciphertext, A=M×e(P1,P2)s, i.e., the message M has been masked by the value e(P1,P2)s. Since s is a random value which is independent of the other random quantities, this effectively results in A being a random value from GT. For a properly formed ciphertext, the correctness of the decryption procedure follows from the following computation.
∏i=1j e(Ci,di)
e(B,d0) = ∏i=1j e(riFi(idi),P)s e
sP,xP2+∑i=1j riFi(idi)
= ∏i=1j e(Fi(idi),P)ris e(P,P2)sx×∏i=1j e(P,Fi(idi)ris)
= 1
e(P1,P2)s.
Also note that the blinding factor sx commutes under pairing allowing more than one ways to derive e(P1,P2)s. This was later termed as commutative blinding and Several (H)IBE schemes utilized this framework.
5.1.1 Security
CPA security of BB-HIBE is proved in the selective-identity model. As is usual for security reductions, the idea is to use an adversary for attacking the HIBE in the selective-identity model to construct an algorithm for solving the DBDH problem.
An adversaryA for the selective-identity game has to commit to an identity tuple before the system is set-up. The essential idea is to form the public parameters us- ing the target identity tuple and the DBDH instance in such a way that all the key extraction queries ofA (except on the target identity or any of its prefix) can be an- swered byA. A valid challenge, on the other hand, can be generated for the target identity only. So, based on the target identity, the identity space is partitioned into two disjoint subsets.
Below we provide the details of the proof. We would like to draw the reader’s attention to the particular method of simulating a key extraction query made by the adversary.
Initialization: A commits to a target identityid∗= (id∗1, . . . ,id∗h′)of height h′≤h.
If h′<h,Badds extra random elements fromZZpto makeid∗an identity of height h. Let us denote these extra(h−h′)elements byid∗h′+1, . . . ,id∗h.
Set-Up: Given a DBDH instance(P,aP,bP,cP,Z),Bsets P1=aPand P2=bP.
It then picks randomα1, . . . ,αh∈ZZpand defines Qj=αjP−id∗jP1for 1≤ j≤h.
It givesA the public parametersPP= (P,P1,P2,Q1, . . . ,Qh). Note that, themsk= aP2=abPis unknown toB. Define the function Fj(x) =xP1+Qj= (x−id∗j)P1+ αjPfor 1≤j≤h.
Phase 1: A makes up to q private key queries. In a private key query corresponding to an identity id= (id1, . . . ,idu), with u≤hthe only restriction is thatidis not a prefix of id∗. Let, j be the smallest index such thatidj6=id∗j.Bchooses random r1, . . . ,rj∈ZZpand first computes
d0|j= −αj
(idj−id∗j)P2+rjFj(idj)
= −αj
(idj−id∗j)P2+rj((idj−id∗j)P1+αjP)
=abP−abP+ −αj
(idj−id∗j)bP+rj((idj−id∗j)P1+αjP)
=aP2+ rj− b idj−id∗j
!
((idj−id∗j)P1+αjP)
=aP2+˜rjFj(idj)
where ˜rj=rj−idj−bid∗j. SoBforms the private key of(id1, . . . ,idj)as
d0=d0|j+
j−1 i=1
∑
riFi(idi),d1=r1P, . . . ,dj−1=rj−1P,dj=− 1
idj−id∗jP2+rjP=˜rjP It is easy to verify that(d0,d1, . . . ,dj)is a valid private key for(id0, . . . ,idj). Once the private key of(id1, . . . ,idj)is formed,Buses theKey-Genalgorithm to form a private key foridand returns it toA.
Note that,Bcan derive a valid private key for an identityidwithout the knowl- edge of the master secret. This is possible as long asidis not a prefix ofid∗. The above algebraic technique of private key derivation is one of the major technical novelties introduced by Boney and Boyen [32]. Recall that, if the original target identityid∗= (id∗1, . . . ,id∗h′)is of height less than h, thenB augments it to an h- tuple by randomly choosingid∗h′+1, . . . ,id∗h. This forms h−h′descendants ofid∗as (id∗|id∗h′+1),(id∗|id∗h′+1,id∗h′+2),(id∗|id∗h′+1,id∗h′+2, . . . ,id∗h). Hence,Bcannot gener- ate the private key of any of these descendants ofid∗. ButA can ask for the private key of any of them. For example,id= (id∗1, . . . ,id∗h′,id∗h′+1, . . . ,id∗h)can be a valid query for private key extraction. In such eventuality,Bhas to abort the game. Since
id∗h′+1, . . . ,id∗hare chosen by the simulator uniformly at random, the probability of abort is very low – of the order q/p.
Challenge: After completion of Phase 1,A outputs two messages M0,M1∈GT. Bchooses a random bitγand forms the ciphertext C= (Mγ·Z,cP,α1cP, . . . ,αh′cP).
Note that, as per construction, Fi(id∗i) =αiPfor 1≤i≤h′, so C= (Mγ·Z,cP,cF1(id∗1), . . . ,cFh′(id∗h′)).
If Z=e(P,P)abc=e(P1,P2)cthen C is a valid encryption of Mγ. On the other hand, if Z is random, then C is an encryption of a random element in GT.
Phase 2: A makes additional queries which Banswers just like Phase 1. Total number of queries in Phase 1 and 2 together should not exceed q.
Guess: Eventually,A outputs its guessγ′ofγ. Ifγ′=γ,Boutputs 1, otherwise it outputs 0.
When Z=e(P,P)abc, thenA’s view in the above game is identical to that in a real attack. In that case|Pr[γ=γ′]−1/2| ≥ε. On the other hand if Z is a random element of GTthen Pr[γ=γ′] =1/2. Since the events Z=e(P,P)abcand Z is random are equiprobable, it is easy to see that
AdvDBDHB ≥ε 2
In other words, if the(t,ε)-DBDH assumption holds in G,GT then the h-HIBE of Boneh-Boyen is(t′,q,2ε)-IND-sID-CPA secure for arbitrary h and q and any t′<t−O(τhq)whereτis the time for a scalar multiplication in G.