In the introductory part of this chapter we have noted that Waters [170] recently proposed a new paradigm called dual system encryption. He proposed the construc- tion of an IBE scheme in this paradigm with some novel features. We will call this scheme the Waters-2009 IBE to distinguish it from the earlier IBE scheme also by Waters [169] described in Chapter 7.

The main difficulty in the security reduction of an IBE scheme is the simulation of key extraction queries. Earlier we have seen two main strategies for performing such simulation. In the partitioning strategy, the simulator implicitly partitions the identity space into two parts and is able to answer key extraction queries for iden- tities from one part and generate challenge ciphertext for identities from the other part. This approach leads to a security degradation because the simulator has to abort the game on certain queries. The previous section describes an approach by Gentry on how to avoid using the partitioning strategy and hence obtain a tight reduction.

This is based on the fact that the simulator is able to generate exactly one key for every identity.

Waters-2009 IBE scheme uses a somewhat different approach in the security re- duction. Apart from usual ciphertexts and usual decryption keys, he defines two new notions – semi-functional ciphertexts and semi-functional decryption keys. These have some special properties.

1. A semi-functional ciphertext can be decrypted using a normal decryption key.

2. A normal ciphertext can be decrypted using a semi-functional decryption key.

3. A semi-functional ciphertext cannot be decrypted using a semi-functional de- cryption key.

Waters proposed a hybrid argument where the reduction proceeds through a se- quence of(q+3)games where q is the maximum number of key extraction queries.

The first game is the usual security game defining the CPA-security of IBE. In the second game, the normal challenge ciphertext is replaced by a semi-functional ci- phertext. In the next q games, individual responses to the key extraction queries are replaced one-by-one with semi-functional decryption keys. A change from normal

to semi-functional (whether ciphertext or decryption keys) is not detectable to an adversary assuming that the decision linear problem is hard. The last change is to provide the adversary with a semi-functional ciphertext on a random element and the adversary does not notice this change if DBDH is assumed to be hard. This ap- proach to security reduction has been called dual system encryption in [170] and has been used later to build several cryptographic primitives including a constant size ciphertext HIBE [131].

Applying this novel proof technique, Waters achieves two important goals. The first one is to construct an IBE whose security is based on a static assumption (i.e., the instance of the hard problem does not depend on some parameter of the scheme), does not use random oracles and for which the size of the public parameters is independent of the security parameter. Apart from the last point, the previous two points were already achieved in the previous IBE scheme of Waters [169]. Recall that in [169], the number of elliptic curve points in the public parameter is n+3 to achieve n/2-bit security. The generalization in [60, 137] reduces this to a fraction of n, but, still the number of points in the public parameters grows with increase in n. The second achievement is to extend the IBE to an HIBE where the security degradation is not exponential in the number of levels.

A comment on the implementation aspects of Waters-2009 IBE is however, in order. For practical security levels such as 80-bit or 128-bit security, the actual size of the public parameters in [60] is comparable to that of Waters-2009. On the other hand, the efficiencies of encryption and decryption in [60] is much better than that of Waters-2009. So, even though, several new ideas are introduced in Waters-2009 IBE scheme, at the current point of time it is still mainly of theoretical interest.

Below we describe the IBE scheme and the security proof.

The description of the scheme is quite involved and so is the security reduction.

As a running intuition, it might help the reader to keep in mind that the purpose is to be able to change some parts of a normal ciphertext to obtain a semi-functional ciphertext and also change some parts of a normal decryption key to obtain a semi- functional decryption key. This essentially requires some kind of implicit splitting of keys and ciphertexts into two parts.

Set-Up: PKG chooses independent and random generators P,V,V1,V2,W,U,Qfrom G and independent and uniform random elements a1,a2,b,α from ZZp. It sets T1=V+a1V1and T2=V+a2V2. The public parameters consist of the following elements.

P, bP, a₁P,a₂P, ba₁P, ba₂P,T₁, T₂,bT₁, bT₂,W,U, Q, e(P,P)^αa1b. The master secret key consists of the following elements: α^P, α^a1P, V, V₁, V₂. Identities are elements ofZZp.

If we consider a=a₁+a₂, then a1Pand a2Pis a split of aP and ba1Pand ba2P is a split of abP. It will be helpful to think ofα^Pas the main component of the master secret key.¹

Key-Gen The input is an identity id∈ZZp. The PKG chooses independent and uniform random elements r1,r2,z1,z2,ktagfromZZpand sets r=r1+r2. The secret key d_idfor the identityidis defined to be(D1, . . . ,D7,K,ktag), where

D₁=α^a1P+rV; D2=−α^P+rV₁+z₁P; D₃=−z₁(bP);

D₄=rV₂+z₂P; D5=−z₂(bP); D₆=r₂bP;

D₇=r₁P; K=r₁(idU+ktagW+Q).

The elements D1,D₂,D₄depend on r=r₁+r₂, whereas D6depends on r2and D₇and K depend on r1. Note that, K is the only element of the key which depends on the identityid.

Encrypt: The input is an identity id∈ZZ_p and a message M∈G_T. The sender chooses independent and uniform random s1,s2,t,ctagfromZZ_pand sets s=s1+s2. The ciphertext is(C0, . . . ,C7,E1,E2,ctag)where

C₀=M×(e(P,P)^αa1b)^s2; C₁=s(bP); C₂=s₁(ba₁P);

C3=s1(a1P); C4=s2(ba2P); C₅=s2(a2P);

C₆=s1T1+s2T2; C7=s1(bT1) +s2(bT2)−tW;

E1=t(idU+ctagW+Q); E2=tP.

The message M is masked by (e(P,P)^αa1b)^s2, where s2 is the randomiser and e(P,P)^αa1bis part of the public parameters. C0is the only component of the cipher- text which depends onα. The value s is formed as s=s1+s2. C1depends on s; C2, C₃depend on s1; C4, C5depend on s2and C6, C7depend on both s1and s2. The only part of the ciphertext which depends on the identity is E1. Element E2=tPand the other elements affected by t are C7and E1.

Decrypt: The input is a ciphertext(C₀, . . . ,C₇,E₁,E₂,ctag), an identityidand a de- cryption key did= (D₁, . . . ,D₇,K,ktag). Ifctag=ktag, then the ciphertext cannot be decrypted and this event occurs with probability 1/p. The decryption consists of several computations. (Note r=r1+r2and s=s1+s2.)

A1=e(C1,D1)×e(C2,D2)×e(C3,D3)×e(C4,D4)×e(C₅,D₅)

=e(P,P)^αa1b(s1+s2)×e(P,V)^(s1+s2)rb×e(P,P)^−αa1bs1×e(P,V₁)^a1bs1r

×e(P,P)^ba1s1z1×e(P,P)^−ba1s1z1×e(P,V₂)^ba2s2r

×e(P,P)^ba2s2z2×e(P,P)^−ba2s2z2

=e(P,P)^αa1bs2×e(V,P)^b(s1+s2)r×e(V₁,P)^a1bs1r×e(V₂,P)^a2bs2r,

1In both the conference version [170] and the full version [171], the element P is shown to be part of the master secret key. If this is the case, then the element E2of the ciphertext (seeEncrypt) cannot be generated. We believe this is an error and P should be part of the public parameters.

A₂=e(C₆,D₆)×e(C₇,D₇)

=e(V,P)^b(s1+s2)r×e(V₁,P)^a1bs1r×e(V₂,P)^a2bs2r×e(P,W)^−r1t, A3=A1/A2=e(P,P)^αa1bs2×e(P,W)^r1t.

Ifctag6=ktag, then A4=

e(E1,D7) e(E₂,K)

1/(ctag−ktag)

=e(P,W)^r1t, A₃

A₄ =e(P,P)^αa1bs2.

Finally, the message is obtained as M=C₀/(A₃/A₄).

The above completes the description of the scheme. We now turn to the security analysis. For this, it is first necessary to introduce the notions of semi-functional ciphertexts and decryption keys.

Semi-functional ciphertexts.

Let (C0, . . . ,C7,E1,E2,ctag) be a ciphertext generated by the encryption algo- rithm. Choose a uniform random x inZZpand define a semi-functional ciphertext (C₀^′, . . . ,C₇^′,E₁^′,E₂^′,ctag)as follows.

C_i^′=Cifor i=0,1,2,3; E₁^′ =E1and E₂^′=E2;

C₄^′ =C4+ba2xP; C^′₅=C5+a2xP; C₆^′ =C6+a2xV2; C^′₇=C7+a2bxV2.

The components C0,C₁,C₂,C₃and E1,E₂are left unchanged. The four components C₄to C7are changed. The change corresponds to a separate (partial) randomisation by the value x. In the above, the role played by s2in the normal ciphertext is now played by(s₂+x)while the roles of s1and s remain unchanged. In other words, the randomising triplet(s,s₁,s₂)is changed to(s,s₁,s₂+x). This is easy to see for C4

and C5and can be seen for C6and C7by expanding T1and T2in terms of V1and V2as defined during the set-up. Note that changing(s,s1,s2)to(s^′=s,s^′₁=s1,s^′₂= s2+x)violates the condition s^′=s^′₁+s^′₂which would have to be true for a proper ciphertext.

The modification to C4and C5can be done using ba2Pand a2Pwhich form part of the public parameters and hence can be done by anybody. However, the changes to C6and C7require the use of the secret element V2apart from the values a2and b. V2is part of the master secret key, whereas a2and b are not. So, even the master secret key is not sufficient to form a semi-functional ciphertext. However, these are not of any concern in the actual scheme. On the other hand, in the security reduction we will see that the simulator can generate a semi-functional ciphertext because it will have the values a2and b.

Semi-functional decryption keys.

Let(D1, . . . ,D7,K,ktag)be a decryption key for an identityid. Choose a uniform

randomγ^fromZZpand define a semi-functional decryption key

(D^′₁, . . . ,D^′₇,K,ktag) (8.2.1)

as follows.

D^′_i=D_ifor i=3 and i=5,6,7;

D^′₁=D₁−a₁a₂γP; D^′₂=D₂+a₂γP; D^′₄=D₄+a₁γP.

Only the elements D1, D2 and D4 are modified and all other elements of the normal decryption key remain unchanged. The changed elements depend on the randomiserγ. Modifications to D2and D4can be done based on public knowledge (a2Pand a1P) andγ. But, the modification to D1requires a1a2Pwhich cannot be computed from the public information P, a1P and a2P(unless CDH is easy). In fact, it is also not possible to compute this from the master secret key. However, the simulator in the proof will have a1 and a2 and will be able to perform this computation.

A decryption of a semi-functional ciphertext with a normal key will succeed because of the following computation.

e(ba2xP,D₄)×e(a₂xP,D₅) e(a2xV2,D6)×e(a2bxV2,D7)=1

when D4,D₅,D₆and D7come from a normally generated private key. Similarly, the decryption of a normal ciphertext with a semi-functional key will succeed due to the following computation.

e(C1,−a1a2γ^P)×e(C2,a2γ^P)×e(C4,a1γ^{P) =}1.

If on the other hand, an attempt is made to decrypt a semi-functional ciphertext with a semi-functional decryption key, then the recovered value will be the message times the quantity e(P,P)^−a1a2xγband will be a random value due to the randomness of x (andγ^).

Theorem 8.2. The IBE scheme described above is(t,εibe,q)-CPA-secure assuming that DLIN is(t^′,εdlin)-hard and DBDH is(t^′,εdbdh)-hard, where

εibe≤(q+1)εdlin+εdbdh

and t^′=t+O(qτ)andτis the time required for a scalar multiplication in G.

Proof : The proof proceeds through a total of (q+3) games. The initial game Gamereal is the actual security game used in defining CPA-security of IBE. Then there are(q+1)security gamesGame0toGame_qfollowed by theGame_{f inal}. Sup- pose Xreal,X0, . . . ,X_q,X_{f inal} be the events that the adversary’s guesses in games

Game_real,Game₀ toGame_q andGame_{f inal} respectively are correct. The changes between the games are as follows.

1. The change between Game_real and Game0 is that the challenge ciphertext is changed from normal to semi-functional.

2. The change between Game_k−1 and Game_k is that the reply to the k-th key- extraction query is changed from normal to semi-functional. The replies to queries numbered 1 to k−1 are semi-functional keys and the replies to queries numbered k+1 to q are normal keys.

3. The change betweenGameqandGamef inal is that the challenge ciphertext is a semi-functional ciphertext on a random element of GT. This game statistically hides the simulator’s uniform random choice of one of the two messages and so Pr[Xf inal] =1/2.

A sequence of lemmas below shows the following results.

1. Pr[Xreal]−Pr[X0]≤εdlin.

2. Pr[Xk−1]−Pr[Xk]≤εdlinfor k=1, . . . ,q.

3. Pr[Xq]−Pr[Xf inal]≤εdbdh. The probability of X_{f inal}is 1/2 and so

εibe=

Pr[X_real]−1 2

=|Pr[X_real]−Pr[X_{f inal}]|

=|Pr[Xreal]−Pr[X0]|+

∑

q

k=1|Pr[Xk−1]−Pr[Xk]| +|Pr[Xq]−Pr[Xf inal]|

≤(q+1)εdlin+εdbdh.

So, the task is to prove the above statements on the indistinguishability of two suc- cessive games (under a complexity assumption). This is done in the three lemmas below. In the proofs of these lemmas,A is a CPA-adversary against the Waters- 2009 IBE andBis an algorithm which interacts withA to solve either DLIN or DBDH problem.

Lemma 8.1.|Pr[Xreal]−Pr[X0]| ≤εdlin.

Proof : The input toBis an instance(P,R,S,c₁P,c₂R,T)of DLIN where T is either (c₁+c₂)Sor a random element of G.Bsets up the IBE scheme, answers decryption queries and generates challenge ciphertext. InGamereal, this is a normal ciphertext while inGame₀, this is a semi-functional ciphertext. The adversary’s ability to dis- tinguish between these two types of ciphertexts translates into the ability ofBto determine whether T is real or random. Now we describe how Bsimulates the protocol environment forA.

Set-Up: Bchooses independent and uniform random elements b,α^,y,y1,y₂from ZZ_pand independent and uniform random elements U,W,Qfrom G. It then sets a1P to be equal to R and a2Pto be equal to S. Note thatBcannot actually determine a1

or a2(without solving discrete log in G). Then,Bcomputes bP, b(a1P) =bR, b(a2P) =bS, V=yP, V1=y1P, V2=y2P, T1=V+a1V1=V+y1(a1P) =V+y1R,

T2=V+a2V2=V+y2(a2P) =V+y2S, bT₁, bT2,

e(P,P)^αa1b=e(P,a1P)^αb=e(P,R)^αb.

So,Bcan provideA with a proper set of public parameters. The master secret key is(α^P,α^(a1P),V,V1,V2) = (α^P,α^R,V,V1,V2)whichBcan compute.

Key Extraction Query: SinceBhas the master key, it can generate normal secret keys for any identity of the adversary’s choice.

Challenge: Breceives two messages M0and M1and a challenge identityid^∗and chooses a uniform random bitβ. FirstBgenerates a normal ciphertext

(C₀, . . . ,C₇,E₁,E₂,ctag)

for M using the encryption algorithm. Let s1,s₂ and t be the random elements of ZZ_pused in creating this ciphertext. This ciphertext is converted into a ciphertext (C₀^′, . . . ,C₇^′,E1,E2,ctag)as follows:

C₀^′ =C₀×(e(c₁P,R)×e(P,c₂R))^bα, C₁^′ =C₁+b(c₁P), C^′₂=C₂−b(c₂R), C₃^′ =C₃−c₂R, C₄^′ =C₄+bT, C₅^′ =C₅+T,

C₆^′ =C₆+y(c1P)−y1(c2R) +y2T, C₇^′ =C7+b(y(c1P)−y1(c2R) +y2T).

(C₀^′, . . . ,C₇^′,E1,E2,ctag)is returned toA as the challenge ciphertext.

If T = (c1+c2)S, then the challenge is a normal ciphertext under the implicit assignment s^′₁=s1−c2and s^′₂=s2+c1+c2. If, on the other hand, T is a uniform random element of G, then the challenge is a semi-functional ciphertext. For ease of understanding we work out the details. Let s^′₁=s1−c2, s^′₂=s2+c1+c2and s^′= s₁+s₂+c₁. Also, in the computation, we assume that T is real, i.e., T= (c₁+c₂)S.

The case of random T is similar and is mentioned later.

C^′₀=C₀×(e(c₁P,R)×e(P,c₂R))^bα

=M_β×e(P,R)^αbs2×e(P,R)^(c1+c2)αb

=M_β×e(P,R)^{αb(s2+c1+c2)}

=M_β×e(P,R)^αbs′2,

C^′₁=C1+b(c1P) = (s1+s2)bP+bc1P=s^′(bP), C^′₂=C₂−b(c₂R) =s₁(bR)−bc₂R=s^′₁(bR), C^′₃=C3−c2R=s1R−c2R=s^′₁R,

C^′₄=C4+bT=s2(bS) +bT=b(s2S+T) =s^′₂(bS),

C^′₅=C₅+T =s₂S+T =s^′₂S, C^′₆=C₆+y(c₁P)−y₁(c₂R) +y₂T

=s1T1+s2T2+y(c1P)−y1(c2R) +y2T

=s₁(V+y₁R) +s₂(V+y₂S) +y(c₁P)−y₁(c₂R) +y₂T

=s1(V+y1R) +s2(V+y2S)−yc2P−y1c2R+yc1P+yc2P+y2(c1+c2)S

= (s₁−c₂)T₁+ (s₂+c₁+c₂)T₂

=s^′₁T₁+s^′₂T₂,

C^′₇=C7+b(y(c1P)−y1(c2R) +y2T)

=s₁(bT₁) +s₂(bT₂)−tW+b(y(c₁P)−y₁(c₂R) +y₂T)

· ···

=s^′₁(bT₁) +s^′₂(bT₂)−tW.

When T is random, we can write T= (c1+c2)S+a2xPfor some random x. The reader can now verify that this gives a semi-functional ciphertext.

Guess: At the end of the game,A returns its guessβ^′andBreturns 1⊕β⊕β^′. In the above simulation, if T is real thenBis simulatingGame_Real and if T is random thenBis simulatingGame0. A crucial point to note is that,Bcan generate a normal private key for the challenge identity but not a semi-functional private key.

Hence,Bcannot by itself decide whether the challenge ciphertext is semifunctional or normal. If, on the other hand,A can distinguish between the two, then the advan- tage ofA translates into the advantage ofBto solve the given instance of DLIN problem. ⊓⊔

Lemma 8.2. For 1≤k≤q,|Pr[X_k−1]−Pr[X_k]| ≤εdlin.

Proof : As in Lemma 8.1, the input toBis an instance(P,R,S,c₁P,c₂R,T)of the DLIN problem. Based on thisBsimulates the protocol environment as follows.

Set-Up: Bchooses independent and uniform random valuesα,a1,a2,y1,y2,w,u,h and computes the following quantities.

bP=R, ba1P=a1R, ba2P=a2R, V=−a1a2S,

V₁=a₂S+y₁P, V2=a₁S+y₂P, e(P,P)^αa1b=e(R,P)^αa1, T₁=V+a₁V₁=−a₁a₂S+a₁a₂S+a₁y₁P=a₁y₁P, T₂=V+a₂V₁=a₂y₂P,

bT1=V+a1V1=y1a1R, bT2=V+a2V1=a2y2R.

The computation of the expressions for T2, bT1and bT2are similar to that of T1. Bchooses independent and uniform randomγ1,γ2inZZpand sets W=R+wP, U=−γ1R+uPand Q=−γ2R+hP.Bsets the public parameters as per the protocol and gives them toA. Sinceα is known toB, it also knows the master secret key.

For any identity id, define F(id) =γ1id+γ2. This F is a pairwise independent function and so if the adversary is given F(id)for some identityid, then for some id^′6=id, F(id^′)is uniformly distributed overZZp.

Key Extraction Query: There are a total of q queries covering both the phases.

The simulation depends on the query number and does not depend on whether it is a Phase 1 or a Phase 2 query. Suppose the i-th query is to be simulated. Depending on the value of i, there are three cases.

Case i>k.B generates a normal key forid using the master secret key that it knows. This key is returned toA.

Case i<k.Bcreates a normal decryption key and then converts it into a semi- functional key using the method of generating semi-functional keys (see equations mentioned after (8.2.1)). SinceB knows a1 and a2 this can be done. The semi- functional key is returned.

Case i=k.Bsetsktag^∗=F(id)and using thisktag, it runs the key generation algo- rithm to obtain a normal decryption key did= (D₁, . . . ,D₇,K,ktag^∗)forid. Suppose the random values used to generate this key are r1,r₂,z₁and z2.Bthen defines

D^′₁=D1−a1a2T, D^′₂=D2+a2T+y1(c1P), D^′₃=D3+y1(c2R), D^′₄=D4+a1T+y2(c1P), D^′₅=D5+y2(c2R), D^′₆=D6+c2R,

D^′₇=D₇+ (c₁P), K^′=K+ (uid+h+wktag^∗) (c₁P).

The crucial point is thatktag^∗=F(id) =γ1id+γ2allows K^′to be properly cre- ated. Since,

K^′=r1(idU+ktag^∗W+Q) + (uid+h+wktag^∗) (c1P)

=r₁(−γ1idR+uidP+ktag^∗(R+wP)−γ2R+hP) +c₁(uid+h+wktag^∗)P

= (r₁+c₁)(uidP+wktag^∗P+hP)

=r^′₁(idU+ktag^∗W+Q).

Also, the definition of D^′₂and D^′₄implicitly sets z^′₁=z1−y1c1and z^′₂=z2−y2c2. If T = (c1+c2)S and we set r^′₁=r1+c1 and r^′₂=r2+c2, then the key (D^′₁, . . . ,D^′₇,K,ktag^∗)is a normal key and if T is a uniform random element of G, then it is a semi-functional key under the use of the randomness r^′₁and r^′₂. We provide the details of this computation for D^′₁,D^′₂and D^′₄for the case T is real, i.e., T = (c1+c2)S. Also, let r₁^′ =r1+c1, r^′₂=r2+c2, z^′₁=z1−y1c1and z^′₂=z2−y2c2.

D^′₁=D₁−a₁a₂T

=α^a1P+ (r1+r2)V−a1a2T

=α^a1P−a₁a₂(r₁+r₂+c₁+c₂)S

=αa1P+ (r^′₁+r^′₂)(−a1a2S)

=α^a1P+ (r^′₁+r^′₂)V, D^′₂=D₂+a₂T+y₁(c₁P)

=−α^{P+ (r}1+r2)V1+z1P+a2(c1+c2)S+y1(c1P)

=−α^{P+ (r}1+r₂)(a₂S+y₁P) +c₁(a₂S+y₁P) +c₂(a₂S+y₁P)−c₂y₁P+z₁P

=−α^{P+ (r}1+c1+r2+c2)V1+ (z1−c1y1)P

=−α^{P+ (r′}1+r^′₂)V₁+z^′₁P,

D^′₄= (r₁+r₂)V₂+z₂P+a₁(c₁+c₂)S+y₂(c₁P)

= (r₁+r₂)V₂+c₁(a₁S+y₂P) +c₂(a₁S+y₂P) +z₂P−c₂y₂P

= (r^′₁+r^′₂)V2+z^′₂P.

If T is random, we can write T = (c1+c2)S+γ^Pfor some (unknown) γ ∈ZZp, which gives a semi-functional key.

Challenge: The challenge identity is id^∗ and the two messages are M0 and M1. Bhas to return a semi-functional ciphertext. (FromGame0onwards the challenge ciphertext is to be a semi-functional ciphertext.) Since Bdoes not have the ele- ment bV2(recall thatBsets bP=Rin the public parameter and does not know b), it cannot directly create a semi-functional ciphertext. The method of doing this is described below.

Bsetsctag^∗=F(id^∗). As is usualBgenerates a uniform random bitβand sets M^∗=M_β.Bnow obtains a normal ciphertext(C0,C1, . . . ,C7,E1,E2,ctag^∗)for M^∗ under identityid^∗and let s1,s2and t be the random values used to generate it.B now chooses a uniform random x inZZpand computes the following.

C₄^′ =C4+xa2R, C^′₅=C5+xa2P,

C₆^′ =C6+xa2V2, C₇^′ =C7+y2xa2R−a1xwa2S,

E₁^′=E1+a1a2x(id^∗u+h+ctag^∗w)S, E₂^′ =E2+a1a2xS.

The semi-functional ciphertext is

(C₀,C₁,C₂,C₃,C^′₄, . . . ,C^′₇,E₁^′,E₂^′,ctag^∗).

Elements C₄^′,C₅^′ and C₆^′ are generated by the usual method of generating a semi- functional ciphertext. Justification for C^′₇,E₁^′and E₂^′ are given by the following com- putation. Let t^′=t+ρ^a1a₂xand S=ρP, then

C^′₇=C₇+y₂xa₂(bP)−a₁xwa₂S

=C₇+y₂xa₂bP−a₁xwa₂S+a₁a₂bxS−a₁a₂bxS

=C7+a2bx(y2P+a1S)−a1a2x(b+w)S

= (bs₁T₁+bs₂T₂−tW) +a₂bxV₂−a₁a₂x(b+w)S

= (bs1T1+bs2T2−t^′W) +a2bxV2. The last equality follows from the following:

−tW−a₁a₂x(b+w)S=−t(R+wP)−a₁a₂x(b+w)S

=−tbP−twP−a1a2x(b+w)(ρ^P)

= (−t−ρ^a1a₂x)(bP) + (−t−ρ^a1a₂x)(wP)

= (−t−ρ^a1a2x)(R+wP)

= (−t−ρ^a1a₂x)W

=−t^′W.

In other words, B implicitly sets t^′P=tP+a₁a₂xS for some unknown t^′. This could be a problem in the computation of E₁^′. Settingctag^∗=F(id^∗)the simulator can avoid this problem as shown below.

E₁^′ =E1+a1a2x(id^∗u+h+ctag^∗w)S

=t(id^∗U+ctag^∗W+Q) +a₁a₂x(id^∗u+h+ctag^∗w)S

=t(id^∗(−γ1R+uP) + (γ1id^∗+γ2)(R+wP)−γ2R+hP) +a1a2x(id^∗u+h+ctag^∗w)S

=t(id^∗u+h+ctag^∗w)P+a₁a₂x(id^∗u+h+ctag^∗w)ρ^P

= (id^∗u+h+ctag^∗w)(tP+a1a2xρ^P)

=t^′(id^∗u+h+ctag^∗w)P

=t^′(id^∗U+ctag^∗W+Q), E₂^′ =E2+a1a2xS

=tP+a₁a₂xρ^P

=t^′P.

However,Bcannot use the above strategy to generate a semifunctional cipher- text for the kth identity and check whether the corresponding key is semi-functional or not. In that case the decryption will fail unconditionally asctagwill be equal to ktag.

Guess: A outputs its guessβ^′andBoutputs 1⊕β⊕β^′.

If T is real (i.e., T = (c₁+c₂)S), then the output of the k-th query is a normal key while if T is random, then the output of the k-th query is a semi-functional key. In other words, if T is real, thenA is playingGamek−1, and if T is random, thenA is playingGamek. This proves the lemma. ⊓⊔

Lemma 8.3.|Pr[Xq]−Pr[Xf inal]| ≤εdbdh.

Proof : In bothGameqandGame_{f inal}, the challenge ciphertexts and all the decryp- tion keys are semi-functional. However, inGame_{f inal} the adversary gets a cipher- text corresponding to a random element of GT. The input toBis a DBDH instance (P,c1P,c2P,c3P,T)and the task is to determine whether T=e(P,P)^c1c2c3or whether T is a uniform random element of GT.Bsimulates the protocol environment as fol- lows.

Set-Up: Bchooses independent and uniform random values a1,b,y,y₁,y₂,w,u,h fromZZpand computes the following.

bP, a1P, a2P=c2P, ba1P, ba2P=b(c2P), V=yP, V1=y1P, V2=y2P, W=wP, U=uP, Q=hP, e(P,P)^a1αb=e(c₁P,c₂P)^a1b,

T₁=V+a₁V₁, T2=V+y₂(c₂P), bT1and bT2.

The public parameters are given toA. Note thatBimplicitly setsα =c₁c₂and a₂=c₂. So the componentsα^Pandα^a1Pof the master secret key are not available withB.