Scalable Wildcarded Identity-Based Encryption with Full Security

Abstract

Wildcarded identity-based encryption (WIBE) is an encryption system where one can encrypt messages to multiple users by specifying a pattern, which is a set of identity strings or wildcards. It is a useful primitive for practical applications where users are defined with multiple attributes (or affiliations), such as organization networks or IoT firmware updates. However, the ciphertext size in traditional WIBE schemes are linear to the number of wildcards in the pattern; since the ciphertext size determines the payload in network systems, it degrades the practicality when deployed in transmission-sensitive systems. In this paper, we represent scalable wildcarded identity-based encryption (SWIBE), which achieves a constant-size ciphertext regardless of the number of wildcards (or depth of patterns). the SWIBE scheme also allows the wildcard usage key derivation as well as encryption: a user with wildcarded pattern can delegate keys for the fixed pattern. Compared to the existing WIBE schemes, the SWIBE scheme is the first approach to yield constant-size ciphertext. Moreover, SWIBE also improves encryption time and decryption time while maintaining a key size of $2L$, comparable to the key size of L in WIBE schemes (where L is a depth of the pattern). The experimental results show that the decryption time is 3 to 10 times faster than the existing WIBE schemes, and 650 times faster than the attribute-based encryption with constant-size ciphertext. For the security, we first propose the selective-CPA-secure SWIBE scheme in a prime order bilinear group and extend it to be selective-CCA-secure. Then we also propose a fully-secure SWIBE scheme which can overcome the selective security.

1. Introduction

In modern IoT infrastructure, it is often essential to encrypt data to multiple devices at once on a group-basis, which let the data security require more advanced functionality of multi-encryption. Specifically, IoT devices are often defined and categorized by their own features, such as device types, manufacturers, affiliations, or locations; users (or devices) often need to send secure messages to a group of devices by specifying particular features. Some well-known examples are described as follows.

• In smart city networks, an occupant may need to encrypt command reservations to home devices (e.g., turn-off devices of type: “lamp” and location: “living room”).
• In secure firmware updates, the firmware is encrypted to a group of devices which satisfies specific conditions (e.g., update devices of manufacturer: “Tesla”).
• In military communications, tactical data are encrypted to classified groups based on specific authorities (e.g., send strategy to devices of affiliation: “Air Force”).

When we apply simple encryption technique such as RSA encryption to the IoT data security, the result becomes inefficient: one should encrypt the message to each user one by one, which requires encryption process and different ciphertext as many as the number of receivers. Moreover, the RSA public key system needs to manage a public key infrastructure (PKI) to identify devices, which increases the communication and storage costs. Therefore, in the IoT data security, it is recommended to consider group-based encryption structure rather than a simple standard encryption.

Related works. Considering that the identities are often defined by attributes, attribute-based encryption (ABE) can provide a suitable functionality for secure communications. Ciphertext-policy attribute-based encryption (CP-ABE) [1,2,3] associates an access policy to each ciphertext, where the access policy is defined by logical combinations (i.e., AND and OR gates) of attribute values. In this setting, the secret key is issued for a set of attributes, and users can decrypt the message only when their attributes satisfy the access policy of the ciphertext. Unfortunately, ABE focuses on more complicated access policy based on variative attributes, while IoT devices are sufficient to handle with fixed identities. To support general access policy, existing ABE schemes either suffer from large ciphertext linearly with the number of attributes or suffer from exponential keys when the ciphertext is fixed as constant.

Identity-based encryption (IBE) [4,5,6] is a useful primitive where the user’s identity (e.g., alice@cs.univ.edu) can be utilized as a public key for encryption, which eliminates a requirement of public key certification such as public key infrastructure (PKI). The IBE can provide an interface for representing the groups or attributes, which is a building block for group-basis secure communications. Later, it advanced to hierarchical identity-based encryption (HIBE) [7], where the identity is defined by a hierarchical set of identity strings such that keys for the identity can be distributed in a hierarchical delegation, i.e., a user at level i can delegate keys for the user at level $i+1$. While traditional IBE requires the certificate authority (CA) to issue keys for the entire users, the HIBE allows each user to share the burden of key delegation to resolve the bottleneck problem. The intuition of key delegation technique in the HIBE system has been advanced to other various cryptographic primitives, such as broadcast encryption [8,9,10].

Considering the fact that many email addresses consist of affiliations, Abdalla et al. [11] extended HIBE to an advanced primitive called wildcarded identity-based encryption (WIBE) by introducing wildcard (*), which can be superceded by any identity string in a set of identity strings. A pattern (or an identity) is defined as a set of multiple identity strings and wildcards, and it efficiently determines a group of identities or a single identity. WIBE utilizes a pattern as a public key for encryption; a single ciphertext encrypted for a pattern (edu, univ, cs, *) (corresponding to *@cs.univ.edu) can be delivered to multiple identities such as alice@cs.univ.edu and bob@cs.univ.edu.

Abdalla’s group proposed three different WIBE systems by extending the existing HIBE schemes. However, all of them suffer from large ciphertext size which is at least $O(L)$ where L is the maximum depth of pattern (i.e., the number of identity strings). Birkett et al. [12] devised compilation techniques called WIB-KEM, which can convert any CPA-secure WIBE into CCA-secure identity-based key encapsulation mechanisms with wildcards. They achieved more efficient CCA-secure WIBE systems by applying their techniques to the Abdalla’s CPA-secure WIBE schemes [11]. However, the ciphertext size still remains as $O(L)$, which is as large as the underlying WIBE schemes. Later, Abdalla’s group introduced IBE with wildcarded key derivation (WKD-IBE) [13], which can include wildcarded pattern in the key derivation of HIBE. They combined the WKD-IBE with their WIBE [11] construction, where wildcarded pattern can be included both in encryption and key derivation, and upgraded the notion of WIBE to WW-IBE [14]. Still, the ciphertext size in WW-IBE [14] is not improved from the original WIBE [11], which is not scalable in IoT systems.

Ciphertext size. The ciphertext size is an important factor, since ciphertext is an actual payload which is transmitted to the network in real applications. Unfortunately, ciphertext size in existing WIBE schemes [11,14] are not constant; it increases linear to the maximum depth of pattern. The main reason is that the WIBE construction let the decryptor transform the ciphertext to his own matching pattern. In brief, the ciphertext should include additional parameters for the wildcarded pattern so that the wildcard can be transformed to the matching key element, based on the key delegation technique from BBG-HIBE [7].

As an alternative approach, the authors of WIBE [11] describes a generic construction of WIBE from HIBE, which can maintain the constant-size ciphertext of the HIBE ingredient. However, this technique results in an excessive secret key size, exponential to the depth of pattern. The main idea in this generic construction is to let the user store secret keys for every possible cases for decryption, instead of transforming the ciphertext. For example, to decrypt the ciphertext encrypted for pattern ($I{D}_1$, $I{D}_2$), a user stores keys for every possible matching patterns: ($I{D}_1$, $I{D}_2$), (*, $I{D}_2$), ($I{D}_1$, *), (*, *). This leads to the secret key size exploded up to $2^L$ which is not reasonable to be used, e.g., in small IoT devices.

Solution. The main barrier of ciphertext size in WIBE is that the decryptor needs to delegate the ciphertext to his own matching pattern. For instance, if a decryptor with an identity ($I{D}_1$, $I{D}_2$) decrypts a ciphertext for ($I{D}_1$, *), he transforms the * to $I{D}_2$ by the help of additional parameters in order to match his own pattern ($I{D}_1$, $I{D}_2$). This lets the ciphertext include extra parameters related to each wildcard, which cannot be compressed to a constant value.

The problem can be resolved by reversing the transformation method: instead of delegating the wildcard to the matching pattern, the decryptor may prune his own pattern to match the wildcard. Specifically, the wildcard is considered as a distinct pattern, and additional pruning keys corresponding to the user’s patterns can be provided so that any pattern can be transformed to the wildcard pattern. For example, if a decryptor with an identity ($I{D}_1$, $I{D}_2$) decrypts a ciphertext for ($I{D}_1$, *), he transforms his $I{D}_2$ to * by using his own pruning key, in order to match the ciphertext pattern ($I{D}_1$, *). Note that the pruning key is only required for the depth of pattern L, which just doubles the secret key. As a result, the ciphertext does not require any additional parameters for delegation and the size can remain constant.

Scalable WIBE. Based on the idea, Kim et al. [15] proposed scalable wildcarded identity-based encryption (SWIBE), which achieves a constant-size ciphertext while maintaining the order of other parameters. SWIBE can efficiently cover the multi-encryption requirements in the IoT examples: with a single encryption and a constant ciphertext, one can encrypt to any group of multiple users by specifying the attributes of receivers.

SWIBE scheme also allows wildcarded patterns both in encryption and key derivation as in WW-IBE [14], i.e., one can encrypt a message to multiple users by using wildcarded patterns, or delegate keys to other users if the identity includes wildcards. Compared to the WW-IBE, SWIBE also improves decryption time, since a user in WW-IBE requires a delegation of the given ciphertext to his own pattern while SWIBE allows a user to decrypt the ciphertext immediately. The practicality of SWIBE is justified by implementing the protocol on a real IoT device, and comparing experimental results with the existing works.

Table 1. Comparison of parameters between related works. ref. e = scalar multiplication, p = pairing, and L = hierarchy depth, q = ID bits, size indicates group elements, Enc = Encryption, and Der = Key derivation.

	HIBE [7]	WIBE [11]	WKD-IBE [13]	WW-IBE [14]	CP-ABE [3]	SWIBE
pp size	$L+4$	$L+4$	$L+2$	$2L+2$	$2L{2}^q+1$	$L+4$
SK size	$L+2$	$L+2$	$L+2$	$L+1$	$3L{2}^q+1$	$2L+3$
CT size	3	$L+3$	3	$3L+2$	2	4
Enc time	$(L+3)e+p$	$(L+3)e+p$	$(L+1)e+p$	$(3L+2)e$	$2L{2}^{q}e+p$	$(L+3)e+p$
Dec time	$2p$	$Le+2p$	$Le+2p$	$Le+(2L+1)p$	$2L{2}^{q}e+4L{2}^{q}p$	$Le+3p$
Wildcard	None	Enc	Der	Enc&Der	Enc	Enc&Der

shows an overall comparison between hierarchical IBE (HIBE) [7], wildcarded IBE (WIBE) [11], wildcarded key derivation IBE (WKD-IBE) [13], WW-IBE [14], ciphertext policy ABE (CP-ABE) [3], and our proposed scalable WIBE (SWIBE) scheme. The comparison focuses on the size of public parameter (pp), secret key (SK), ciphertext (CT) and execution time of encryption (Enc), decryption (Dec), while the identity (pattern) depth is fixed as L and each identity is a q-bit string.

For the wildcard use, HIBE does not support wildcard, WIBE and CP-ABE supports wildcard only in encryption, WKD-IBE supports wildcard only in key derivation, while WW-IBE and SWIBE allow wildcard both in encryption and key derivation. For the ciphertext policy in CP-ABE, we assumed each bit in the ID as an attribute. Among the WIBE schemes which allow wildcards in encryption (WIBE, WW-IBE, SWIBE), only SWIBE has a constant-size ciphertext of 4 group elements regardless of the depth L. While supporting wildcarded pattern both in key derivation and encryption, SWIBE improves the decryption time compared to the WW-IBE.

Selective security. Despite the novel advantages, one remaining challenge is that the security of SWIBE relies on the selective security. In the selective security, the security model assumes that the target devices (i.e., devices which adversary desires to attack) are fixed before the security game. However, in real-life situation, we often cannot predict which devices are vulnerable, and which devices the attackers are planning to exploit. Therefore, for more robust security, it is recommended to advance the scheme to achieve full-security, i.e., IND-CPA secure without selective security.

Fully-secure SWIBE. In this paper, we extend selectively-secure SWIBE [15] to a fully-secure version, by modifying the SWIBE construction based on the composite order group. The composite order group sets the size of the cyclic group N as a composite number instead of a prime, to create different subgroups and let them cancel each other when computed in the pairing operation. This technique can disguise public elements while maintaining the correctness of the protocol, which can achieve the full security instead of the selective security. Based on the idea, we propose a new version of SWIBE protocol which satisfies full security, and formally prove the security under the standard assumptions.

We now summarize the main contributions of SWIBE, and SWIBE with full security.

-

Scalable wildcarded identity-based encryption (SWIBE) achieves constant-size ciphertext among the WIBE systems, without sacrificing the order of other parameters.

-

SWIBE is formally proved to satisfy IND-sID-CPA security, and it is extended to satisfy IND-sID-CCA security.

-

We provide practical experimental results based on a small IoT device with 500 MHz Atom processor.

-

This paper additionally proposes a fully secure (IND-ID-CPA-secure) SWIBE construction to overcome the selective security, and we formally prove the IND-ID-CPA security.

The rest of this paper is organized as follows. Section 2 introduces the basic definitions and complexity assumptions. In Section 3, we formally define the wildcard identity-based encryption as a universal primitive. Section 4 explains the main idea of the SWIBE scheme and how to construct it in details, along with the security proof. Section 5 extends it to be CCA secure, and Section 6 proposes a new version of SWIBE in composite order to obtain full security instead of selective security. In Section 7, we show the experimental results and in Section 8, we conclude.

2. Background

2.1. Identity-Based Encryption

Identity-based encryption (IBE) [16] is defined as a tuple of algorithm $\mathcal{IBE}=(\mathsf{Setup},\mathsf{KeyDer},\mathsf{Enc},\mathsf{Dec})$ which provides the following functionality. The authority runs $\mathsf{Setup}$ to generate a public parameter $pp$ and a master secret key $msk$. It publishes $pp$ and keeps $msk$ in private. When a user with an identity $ID$ needs to join the system, the authority creates a decryption key $d_{ID}\stackrel{\$}{\leftarrow }\mathsf{KeyDer}(msk,ID)$, and sends the key to the user via secure channel. To encrypt a message $\mathsf{m}$ to the user with an identity $ID$, the sender computes a ciphertext $C\stackrel{\$}{\leftarrow }\mathsf{Enc}(pp,ID,\mathsf{m})$, which is decrypted by the user as $\mathsf{m}\leftarrow \mathsf{Dec}(d_{ID},C)$.

2.2. Hierarchical IBE

In hierarchical IBE (HIBE) [7], users are organized in an L-level binary tree, where the root is considered as a master authority. The user’s identity at level $0\le l\le L$ is given by a vector $ID=(P_1,\cdots ,P_l)\in {({\{0,1\}}^q)}^l$. HIBE is defined as a tuple of algorithms $\mathcal{HIBE}=(\mathsf{Setup}$, $\mathsf{KeyDer}$, $\mathsf{Enc}$, $\mathsf{Dec})$ providing same functionalities as in IBE, except that a user $ID=(P_1,\cdots ,P_l)$ at level l can use his own secret key $s{k}_{ID}$ to generate a secret key for its children $I{D}^{\prime }=(P_1,\cdots ,P_l,\cdots ,P_L)$ via $s{k}_{I{D}^{\prime }}\stackrel{\$}{\leftarrow }\mathsf{KeyDer}(s{k}_{ID},I{D}^{\prime })$. By applying the KeyDer algorithm interactively, user $ID$ can derive secret keys for any of its descendants $I{D}^{\prime }=(P_1,\cdots ,P_{l+\delta }$), $\delta \ge 0$. We denote this process as $s{k}_{I{D}^{\prime }}\stackrel{\$}{\leftarrow }\mathsf{KeyDer}(s{k}_{ID},(P_{l+1},\cdots ,P_{L+1}))$. The secret key of the root at level 0 is $s{k}_{ϵ}=msk$. Encryption and decryption are the same as IBE, but the identity is a vector of strings instead of ordinary strings.

2.3. Bilinear Groups and Pairings

In references [16,17], the bilinear maps and bilinear map groups are defined as follows:

• $\mathbb{G}$ and ${\mathbb{G}}_1$ are two multiplicative cyclic groups of prime order p.
• g is a generator of $\mathbb{G}$.
• $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_1$ is a bilinear map.

Let $\mathbb{G}$ and ${\mathbb{G}}_1$ be two groups as above. The bilinear map is defined as a map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_1$ which satisfies the following properties:

• The map is bilinear: for all $u,v\in \mathbb{G}$ and $a,b\in \mathbb{Z}$, $e(u^a,v^b)=e{(u,v)}^{ab}$
• The map is non-degenerate: $e(g,g)\ne 1$.

$\mathbb{G}$ is a bilinear group if the operation in $\mathbb{G}$ is efficient and there is a group ${\mathbb{G}}_1$ with an efficiently computable bilinear map $e:\mathbb{G}\times \mathbb{G}\to {\mathbb{G}}_1$.

2.4. Computational Complexity Assumptions

The security of our scheme is based on bilinear Diffie–Hellman Exponent (BDHE) assumption used in [7], which is an extension of bilinear Diffie–Hellman Inversion (BDHI) assumption previously used in [18]. Let $\mathbb{G}$ be a bilinear group of prime order p. The L-BDHE problem in $\mathbb{G}$ is defined as follows:

$$(h,g,g^{\alpha },g^{({\alpha }^2)},\cdots ,g^{({\alpha }^L)},g^{({\alpha }^{L+2})},\cdots ,g^{({\alpha }^{2L})}\in {\mathbb{G}}^{2L+1})$$

Given a vector of $2L+1$ elements above as input, output $e{(g,h)}^{{\alpha }^{L+1}}\in {\mathbb{G}}_1$.

Once we specify g and $\alpha$, we use $y_i$ to represent $y_i=g^{{\alpha }^i}\in \mathbb{G}$. The adversary $\mathcal{A}$ has an advantage $ϵ$ in solving L-BDHE in $\mathbb{G}$ if

$$Pr[\mathcal{A}(h,g,y_1,\cdots ,y_L,y_{L+2},\cdots ,y_{2L})=e(y_{L+1},h)]\ge ϵ$$

where the probability is over the random bits used by $\mathcal{A}$, the random choice of generators $g,h$ in $\mathbb{G}$, and the random choice of $\alpha$ in ${\mathbb{Z}}_p$. The decisional version of the L-BDHE problem in $\mathbb{G}$ is defined analogously. Let ${\overrightarrow{y}}_{g,\alpha ,L}=(y_1,\cdots ,y_L,y_{L+2},\cdots ,y_{2L})$. An algorithm $\mathcal{B}$ that outputs $b\in \{0,1\}$ has advantage $ϵ$ in solving decisional L-BDHE in $\mathbb{G}$ if

$$\begin{array}{ccc}\hfill \left|Pr\right[\mathcal{B}(g,h,{\overrightarrow{y}}_{g,\alpha ,L},& e(y_{L+1},h))=0]-\hfill & \hfill Pr[\mathcal{B}(g,h,{\overrightarrow{y}}_{g,\alpha ,L},T)=0]|\ge ϵ\end{array}$$

where the probability is over the random choice of generators $g,h$ in $\mathbb{G}$, $\alpha$ in ${\mathbb{Z}}_p$, and $T\in {\mathbb{G}}_1$, and the bits consumed by $\mathcal{B}$.

Definition 1.

The (decisional) ($t,ϵ,L$)-BDHE assumption holds in $\mathbb{G}$ if no t-time algorithm has at least ϵ advantage to solve the (decisional) L-BDHE problem in $\mathbb{G}$.

We may omit the t and $ϵ$, and refer to the (decisional) L-BDHE in $\mathbb{G}$.

3. Model

SWIBE allows general key delegation and encryption to a group that is denoted by multiple identity strings and wildcards. To make the further description simple and clear, we define the following notations similarly to [11].

Definition 2.

A pattern P is a vector $(P_1,\cdots ,P_L)\in {({\mathbb{Z}}_p^{*}\cup \{*\})}^L$, where * is a special wildcard symbol, p is a q-bit prime number, and L is the maximal depth of the SWIBE scheme. We denote pattern P as in ${({\mathbb{Z}}_p^{*}\cup \{*\})}^L$ instead of ${({\{0,1\}}^q\cup \{*\})}^L$, since ${\{0,1\}}^q$ can be easily mapped to ${\mathbb{Z}}_p^{*}$ with a hash function.

Definition 3.

A pattern $P^{\prime }=(P_1^{\prime },\cdots ,P_L^{\prime })$ belongs to P, denoted $P^{\prime }{\in }_{*}P$, if and only if $\forall i\in \{1,\cdots ,L\},(P_i^{\prime }=P_i)$∨$(P_i=*)$.

Definition 4.

A pattern $P^{\prime }=(P_1^{\prime },\cdots ,P_L^{\prime })$ matches P, denoted $P^{\prime }\approx P$, if and only if $\forall i\in \{1,\cdots ,L\}$, $(P_i^{\prime }=P_i)$∨$(P_i=*)$∨$(P_i^{\prime }=*)$.

Notice that a set of patterns matching P is includes patterns belonging to P. For a pattern $P=(P_1,\cdots ,P_L)$, we define $W(P)$ as a set of all wildcard indices in P, i.e., the indices $1\le i\le L$ such that $P_i=*$, and $\overline{W}(P)$ as a complementary set including all non-wildcard indices. Clearly, $W(P)\cap \overline{W}(P)=\varnothing$ and $W(P)\cup \overline{W}(P)=\{1,\cdots ,L\}$.

Definition 5.

$W(P)$ denotes a set including all wildcard indices in a pattern P.

Definition 6.

$\overline{W}(P)$ represents a complementary set containing all non-wildcard indices in a pattern P.

A scalable wildcarded identity-based encryption $\mathcal{SWIBE}$ consists of four algorithms:

$\mathsf{Setup}(L)$

takes as input the maximal hierarchy depth L. It outputs a public parameter $pp$ and master secret key $msk$.

$\mathsf{KeyDer}(s{k}_P,P_{new})$

takes as input a user secret key $s{k}_P$ for a pattern $P=(P_1,\cdots ,P_L)$ and can derive a secret key for any pattern $P_{new}{\in }_{*}P$. The secret key of the root identity is $msk=s{k}_{(*,\cdots ,*)}$.

$\mathsf{Encrypt}(pp,P,m)$

takes as input pattern $P=(P_1,\cdots ,P_L)$, message $m\in {\{0,1\}}^{*}$ and public parameter $pp$. It outputs ciphertext C for pattern P.

$\mathsf{Decrypt}(s{k}_P,C,P^{\prime })$

takes as input user secret key $s{k}_P$ for pattern $P=(P_1,\cdots ,P_L)$ and ciphertext C for pattern $P^{\prime }$. Any user with the secret key for a pattern P which matches $P^{\prime }$ can decrypt the ciphertext using $s{k}_P$, and the algorithm outputs message m.

Correctness requires that for all key pairs ($pp$, $msk$) output by $\mathsf{Setup}$, all messages $m\in {\mathbb{Z}}_p^{*}$, and all patterns $P,P^{\prime }\in {({\mathbb{Z}}_p^{*}\cup \{*\})}^L$ such that $P\approx P^{\prime }$, $\mathsf{Decrypt}(\mathsf{KeyDer}$$(msk,P),\mathsf{Encrypt}(pp,P^{\prime },m),P^{\prime })=m$.

SECURITY. We define the security of SWIBE scheme similar to the original WIBE [11], except we also consider the key delegation property. We allow an adversary to select an arbitrary pattern and query secret keys for the corresponding pattern. The adversary is disallowed to ask a key derivation query for any pattern matching the challenge pattern. The security of SWIBE is defined by an adversary $\mathcal{A}$ and a challenger $\mathcal{C}$ via the following game. Both $\mathcal{C}$ and $\mathcal{A}$ are given the hierarchy depth L and the identity bit-length q as inputs.

Setup:

Challenger $\mathcal{C}$ runs $\mathsf{Setup}(L)$ to obtain public parameter $pp$ and master secret key $msk$. $\mathcal{C}$ gives $\mathcal{A}$ public parameter $pp$.

Key derivation queries:1:

Adversary $\mathcal{A}$ issues key derivation queries $q_{K_1}$, $\cdots$, $q_{K_m}$ in which a key derivation query consists of a pattern $P^{\prime }\in {({\mathbb{Z}}_p^{*}\cup \{*\})}^L$, and challenger $\mathcal{C}$ responds with $s{k}_{P^{\prime }}\stackrel{\$}{\leftarrow }\mathsf{KeyDer}(s{k}_P,P^{\prime })$.

Query phase1:

Adversary $\mathcal{A}$ issues decryption queries $q_{D_1},$$\cdots ,$$q_{D_n}$ in which a decryption query consists of a pattern $P^{\prime }\in {(Z_p^{*}\cup \{*\})}^L$ and ciphertext C, next challenger $\mathcal{C}$ responds with a message $M\stackrel{\$}{\leftarrow }\mathsf{Decrypt}(C,P^{\prime })$.

Challenge:

$\mathcal{A}$ outputs two equal-length challenge messages $m_0^{*},m_1^{*}\in {\mathbb{Z}}_p^{*}$ and a challenge identity $P^{*}=(P_1^{*},$$\cdots ,$$P_{L^{*}}^{*})$ s.t. $P^{*}\not\approx P^{\prime }$ for all queried $P^{\prime }$. $\mathcal{C}$ runs algorithm $C^{*}\leftarrow \mathsf{Encrypt}(pp,P^{*},m_b^{*})$ for random bit b and gives $C^{*}$ to $\mathcal{A}$.

Key derivation queries:2:

Attacker $\mathcal{A}$ continues to issue key derivation queries $q_{K_{m+1}},\cdots ,q_{q_K}$ same as $\mathsf{Key}\mathsf{derivation}\mathsf{queries}:\mathsf{1}$ where query pattern $P^{\prime }\not\approx P^{*}$. $\mathcal{C}$ responds as in key derivation query 1.

Query phase2:

Attacker $\mathcal{A}$ continues to issue decryption queries $q_{D_{n+1}},\cdots ,q_{q_D}$ same as $\mathsf{Query}\mathsf{phase}\mathsf{1}$. It should be satisfied that queried ciphertext $C\ne C^{*}$. $\mathcal{C}$ responds as in query phase 1.

Guess:

$\mathcal{A}$ outputs its guess $b^{\prime }\in \{0,1\}$ for b and wins the game if $b=b^{\prime }$.

Definition 7.

A $\mathcal{SWIBE}$ is $(t,q_K,q_D,ϵ,L)$ IND-ID-CCA-secure if all t-time adversaries making at most $q_K$ queries to the key derivation oracle and at most $q_D$ queries to the decryption oracle have at most advantage ϵ in the IND-ID-CCA game described above.

We also define IND-ID-CPA-secure similar as IND-ID-CCA game except forbidden all decryption queries.

Definition 8.

A $\mathcal{SWIBE}$ is $(t,q_K,0,ϵ,L)$ IND-ID-CPA-secure if all t-time adversaries making at most $q_K$ queries to the key derivation oracle have at most advantage ϵ in the IND-ID-CPA game described above.

SELECTIVE-IDENTITY SECURITY. A weaker selective-identity (sID) security notion IND-sID-CPA is defined analogously to the IND-ID-CPA one: every procedure is the same except that the adversary must commit to the challenge identity at the beginning of the game, before the public parameter is made available.

4. The Proposed Scheme

In this section, we describe the proposed scalable wildcarded identity based encryption scheme (SWIBE). Before presenting the formal scheme, we first describe the BBG-HIBE construction [7], which is a main building block for WIBE systems including SWIBE, along with our main idea to achieve constant-size ciphertext in Section 4.1. Then we provide SWIBE construction in Section 4.2, and show the formal security proof in Section 4.3.

4.1. Overview: BBG-HIBE and Our Idea

The BBG-HIBE scheme [7] is described as follows:

Setup(L):L indicates the maximum hierarchy depth. Select a random integer $\alpha \in {\mathbb{Z}}_p^{*}$, and $O(L)$ random group elements $g,g_2,g_3,h_1,h_2,\cdots ,h_L\in \mathbb{G}$, and compute $g_1=g^{\alpha }$.

The public parameters and the master secret key are given by

$$\begin{array}{cc}\hfill pp& =(g,g_1,g_2,g_3,h_1,h_2,\cdots ,h_L),msk=g_2^{\alpha }.\hfill \end{array}$$

KeyDer($s{k}_{P_{|l-1}}$, P): To compute the secret key $s{k}_P$ for an identity $P=(P_1,\cdots ,P_l)\in {({\mathbb{Z}}_p^{*})}^l$ where $l\le L$ from the master secret key, a random $r\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$ is chosen, then secret key $s{k}_P=(a_1,a_2,b_{l+1},\cdots ,b_L)$ for P is constructed as

$$\begin{array}{ccc}\hfill a_1& =g_2^{\alpha }{(g_3·\prod _{i\in [1,\cdots ,l]}{h}_i^{P_i})}^r,\hfill & \hfill a_2=g^r,{\{b_i=h_i^r\}}_{i\in [l+1,\cdots ,L]}\end{array}$$

The private key for P can be generated incrementally, given a private key for the parent identity $P_{|l-1}=(P_1,\cdots ,P_{l-1})\in {({\mathbb{Z}}_p^{*})}^{l-1}$. Let $s{k}_{P_{|l-1}}=(a_1^{\prime },a_2^{\prime },b_l^{\prime },\cdots ,b_L^{\prime })$ be the private key for $P_{|l-1}$. To generate $s{k}_P$, pick a random $t\in {\mathbb{Z}}_p^{*}$ and output

$$\begin{array}{ccc}\hfill a_1=a_1^{\prime }·{(b_l^{\prime })}^{P_l}·{(g_3·\prod _{i\in [1,\cdots ,l]}{h}_i^{P_i})}^t,& \hfill & \hfill a_2=a_2^{\prime }·g^t,{\{b_i=b_i^{\prime }·h_i^t\}}_{i\in [l+1,\cdots ,L]}\end{array}$$

Encrypt($pp$, P, M): To encrypt a message $m\in {\mathbb{G}}_1$ to pattern $P=(P_1,\cdots ,P_l)$, choose $s\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$, and compute

$$\begin{array}{ccccc}\hfill C=(g^s,& \hfill & \hfill {(g_3·\prod _{i\in [1,\cdots ,l]}{h}_i^{P_i})}^s,& \hfill & \hfill M·e{(g_1,g_2)}^s)\end{array}$$

Decrypt($s{k}_P$, C): Consider an identity pattern $P=(P_1,\cdots ,P_l)$. To decrypt a given ciphertext $C=(C_1,C_2,C_3)$ with private key $s{k}_P=(a_1,a_2,b_{l+1},\cdots ,b_L)$, output

$$\begin{array}{c}\hfill C_3·\frac{e(a_2,C_2)}{e(C_1,a_1)}=M\end{array}$$

The BBG-HIBE scheme [7] has the advantage of constant-sized ciphertexts. The ciphertext consists of only three elements: $(g^s,{(g_3·h_1^{P_1}\cdots h_l^{P_l})}^s,M{(g,g_2)}^{s\alpha })$. When observing the secret key, $a_1$ and $a_2$ are responsible for the decryption, while $b_i$ stands for further key delegations. The pattern $P=(P_1,\cdots ,P_l)$ is combined as a single element $a_1$, and we can delegate $a_1$ to another extended pattern $P=(P_1,\cdots ,P_l,P_{l+1})$ by additionally combining the $b_{l+1}$ into the $a_1$. Since the united element $a_1$ directly involves the pattern and the element can be canceled by multiplying its inverse, we observe that secret key for some pattern can be replaced to another secret key for a different pattern by multiplication. For instance, it is possible to compute $g_2^{\alpha }{(g_3{h}_1^{P_1^{\prime }}\cdots h_l^{P_l})}^r$ by multiplying $h_1^{(P_1^{\prime }-P_1)r}$ to $g_2^{\alpha }{(g_3·h_1^{P_1}\cdots h_l^{P_l})}^r$.

The wildcard pattern can work in a similar way: when we consider the wildcard * as a fixed identity, i.e., a mapped element $w\in {\mathbb{Z}}_p^{*}$, we may change an identity to the wildcard by including ${\mathbf{c}}_{\mathbf{i}}={(h_i^w/h_i^{P_i})}^r$ for every identity string $P_i$ in a secret key and replacing ${(h_i^{P_i})}^r$ with ${(h_i^w)}^r$. However, this approach has a security problem; the extra $c_i$ allows the adversary to compute $h_i^r={\mathbf{c}}_{\mathbf{i}}^{1/(w-P_i)}$ by combining $c_i,w,P_i$, which reveals the top level secret key $g_2^{\alpha }{g}_3^r$ by canceling ${(h_1^{P_1}\cdots h_l^{P_l})}^r$ from $g_2^{\alpha }{(g_3{h}_1^{P_1}\cdots h_l^{P_l})}^r$. With the top level secret key, the adversary can generate any secret keys as he desires, which is a significant problem.

We resolve this issue by randomizing the wildcard part, by using another random $t\in {\mathbb{Z}}_p$ independent from r. Specifically, we revise the extra key $c_i$ as ${\mathbf{c}}_{\mathbf{i}}=h_i^{wt}/h_i^{P_{i}r}$, and also provide $g^t$ with $g^r$, to let the decryption work correctly. For instance, the key $g_2^{\alpha }{(g_3·h_1^{P_1}{h}_2^{P_2}{h}_3^{P_3})}^r$ for $(P_1,P_2,P_3)$ is changed to $g_2^{\alpha }{(g_3·h_2^{P_2})}^r·{(h_1^w{h}_3^w)}^t$ for $(*,P_2,*)$ by multiplying ${\mathbf{c}}_{\mathbf{1}}{\mathbf{c}}_{\mathbf{3}}$.

The remaining issue is that the encryption requires some adjustments, to be compatible with the modification of random t. For example, to encrypt for the pattern $(*,P_2,*)$, the pattern is divided into wildcard part and non-wildcard part. The non-wildcard identity part $(·,P_2,·)$ is encrypted as $(g^s,{(g_3·h_2^{P_2})}^s,M·e{(g_1,g_2)}^s)$, same as the BBG-HIBE. Then the wildcard identity part $(*,·,*)$ is encrypted as ${(h_1^w{h}_3^w)}^s$, which can later be used in decryption to cancel out the wildcard part of user secret key. In summary, the ciphertext can remain as constant with an additional single group element to the original BBG-HIBE ciphertext which is three group elements, and the key size also remains efficient, linear to the number of patterns, within the same order compared with the BBG-HIBE.

The complete scheme is represented in the following Section 4.2 with assuming the value $w=1$. Then we formally prove the security of the scheme in Section 4.3.

4.2. SWIBE Construction

We now describe the SWIBE scheme which achieves constant size ciphertext and $O(L)$ size keys.

Setup(L): Let L indicate the maximum depth of the pattern. The initial set of keys are generated as follows. Sample $\alpha \in {\mathbb{Z}}_p^{*}$, and $O(L)$ group elements $g,g_2,g_3,h_1,h_2,\cdots ,h_L\in \mathbb{G}$ randomly, and compute $g_1=g^{\alpha }$.

The public parameter is given by

$$\begin{array}{cc}\hfill pp& \leftarrow (g,g_1,g_2,g_3,h_1,h_2,\cdots ,h_L).\hfill \end{array}$$

A master secret key is set as $msk=g_2^{\alpha }$.

KeyDer($pp$, $s{k}_P$, $P^{\prime }$): To derive the secret key $s{k}_{P^{\prime }}$ for a pattern $P^{\prime }=(P_1^{\prime },\cdots ,P_L^{\prime })\in {({\mathbb{Z}}_p^{*}\cup \{*\})}^L$ from the $msk$, two randoms $r,t\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$ are chosen. Then, the secret key $s{k}_{P^{\prime }}=(a_1^{\prime },a_2^{\prime },a_3^{\prime },b^{\prime },c^{\prime },d^{\prime })$ for $P^{\prime }$ is computed as

$$\begin{array}{ccc}\hfill a_1^{\prime }& =msk{(g_3·\prod _{i\in \overline{W}(P^{\prime })}{h}_i^{P_i^{\prime }})}^r,\hfill & \hfill a_2^{\prime }=g^r,a_3^{\prime }=g^t\\ \hfill b^{\prime }& ={\{b_i^{\prime }=h_i^r\}}_{i\in W(P^{\prime })}\hfill & \hfill c^{\prime }={\{c_i^{\prime }=h_i^t\}}_{i\in W(P^{\prime })}\\ \hfill d^{\prime }& ={\{d_i^{\prime }=h_i^t/h_i^{P_i^{\prime }r}\}}_{i\in \overline{W}(P^{\prime })}\hfill \end{array}$$

In order to generate secret key $s{k}_{P^{\prime }}$ for a pattern $P^{\prime }$ from secret key $s{k}_P=(a_1,a_2,a_3,b,c)$ for a pattern P such that $P^{\prime }{\in }_{*}P$, simply choose two randoms $r^{\prime },t^{\prime }\stackrel{\$}{\leftarrow }{\mathbb{Z}}_q^{*}$ and output $s{k}_{P^{\prime }}=(a_1^{\prime },a_2^{\prime },a_3^{\prime },b^{\prime },c^{\prime },d^{\prime })$, where

$$\begin{array}{cc}\hfill & a_1^{\prime }=a_1·(\prod _{i\in \overline{W}(P^{\prime })\cap W(P)}{b}_i^{P_i^{\prime }})·{(g_3\prod _{i\in \overline{W}(P^{\prime })}{h}_i^{P_i^{\prime }})}^{r^{\prime }},\hfill \\ \hfill & a_2^{\prime }=a_2·g^{r^{\prime }},a_3^{\prime }=a_3·g^{t^{\prime }}\hfill \\ \hfill b^{\prime }& ={\{b_i^{\prime }=b_i·h_i^{r^{\prime }}\}}_{i\in W(P^{\prime })},c^{\prime }={\{c_i^{\prime }=c_i·h_i^{t^{\prime }}\}}_{i\in W(P^{\prime })}\hfill \\ \hfill d^{\prime }& ={\{d_i^{\prime }=d_i·\frac{h_i^{t^{\prime }}}{h_i^{P_i^{\prime }{r}^{\prime }}}\}}_{i\in \overline{W}(P^{\prime })\cap \overline{W}(P)}\hfill \\ & \cup {\{d_i^{\prime }=\frac{c_i}{b_i^{P_i^{\prime }}}·\frac{h_i^{t^{\prime }}}{h_i^{P_i^{\prime }{r}^{\prime }}}\}}_{i\in \overline{W}(P^{\prime })\cap W(P)}\hfill \end{array}$$

Encrypt($pp$, P, m): To encrypt a message $m\in {\mathbb{G}}_1$ to pattern $P=(P_1,\cdots ,P_L)$ under $pp$, choose $s\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$, and compute $C=(C_1,C_2,C_3,C_4)$

$$\begin{array}{cccc}\hfill C_1& =g^s,\hfill & \hfill C_2& ={(g_3·\prod _{i\in \overline{W}(P)}{h}_i^{P_i})}^s\hfill \\ \hfill C_3& =m·e{(g_1,g_2)}^s,\hfill & \hfill C_4& ={(\prod _{i\in W(P)}{h}_i)}^s\hfill \end{array}$$

Decrypt($s{k}_P$, C, $P^{\prime }$): Consider patterns P and $P^{\prime }\in (Z_p^{*}$∪${\{*\})}^L$, where P is a key pattern and $P^{\prime }$ is a ciphertext pattern. To decrypt a given ciphertext $C=(C_1,C_2,C_3,C_4)$ with private key $s{k}_P=(a_1,a_2,a_3,b,c,d)$, compute $a_1^{\prime }=a_1·{\prod }_{i\in \overline{W}(P^{\prime })\cap W(P)}{b}_i^{P_i^{\prime }}·{\prod }_{i\in W(P^{\prime })\cap W(P)}{c}_i·{\prod }_{i\in W(P^{\prime })\cap \overline{W}(P)}{d}_i$ and output

$$\begin{array}{c}\hfill C_3·\frac{e(a_2,C_2)·e(a_3,C_4)}{e(C_1,a_1^{\prime })}=m\end{array}$$

The correctness of the decryption is described as follows. We denote ${\mathsf{W}}_{P^{\prime }P}$ = $W(P^{\prime })\cap W(P)$, ${\mathsf{W}}_{{\overline{P}}^{\prime }P}$ = $\overline{W}(P^{\prime })\cap W(P)$, ${\mathsf{W}}_{P^{\prime }\overline{P}}$ = $W(P^{\prime })\cap \overline{W}(P)$, and ${\mathsf{W}}_{{\overline{P}}^{\prime }\overline{P}}$ = $\overline{W}(P^{\prime })\cap \overline{W}(P)$ to simplify notations.

Since $a_1=g_2^{\alpha }{(g_3{\prod }_{i\in \overline{W}(P)}{h}_i^{P_i})}^r$, $b_i=h_i^r$, $c_i=h_i^t$, and $d_i=\frac{h_i^t}{h_i^{P_{i}r}}$,

$$\begin{array}{cc}\hfill a_1^{\prime }& =a_1·\prod _{i\in {\mathsf{W}}_{{\overline{P}}^{\prime }P}}{b}_i^{P_i^{\prime }}·\prod _{i\in {\mathsf{W}}_{P^{\prime }P}}{c}_i·\prod _{i\in {\mathsf{W}}_{P^{\prime }\overline{P}}}{d}_i\hfill \\ \hfill =& g_2^{\alpha }{(g_3·\prod _{i\in \overline{W}(P)}{h}_i^{P_i})}^r·\prod _{i\in {\mathsf{W}}_{{\overline{P}}^{\prime }P}}{h}_i^{P_i^{\prime }r}·\prod _{i\in {\mathsf{W}}_{P^{\prime }P}}{h}_i^t·\prod _{i\in {\mathsf{W}}_{P^{\prime }\overline{P}}}\frac{h_i^t}{h_i^{P_{i}r}}\hfill \\ \hfill =& g_2^{\alpha }{(g_3·\prod _{i\in \overline{W}(P)}{h}_i^{P_i}·\prod _{i\in {\mathsf{W}}_{{\overline{P}}^{\prime }P}}{h}_i^{P_i^{\prime }}·\prod _{i\in {\mathsf{W}}_{P^{\prime }\overline{P}}}{h}_i^{-P_i})}^r·\prod _{i\in {\mathsf{W}}_{P^{\prime }\overline{P}}}{h}_i^t·\prod _{i\in {\mathsf{W}}_{P^{\prime }P}}{h}_i^t.\hfill \end{array}$$

Since ${\mathsf{W}}_{P^{\prime }\overline{P}}$$\cup {\mathsf{W}}_{{\overline{P}}^{\prime }\overline{P}}$ = $\overline{W}(P)$ and ${\mathsf{W}}_{P^{\prime }\overline{P}}\cap W_{{\overline{P}}^{\prime }\overline{P}}$ = ∅, ${\prod }_{i\in \overline{W}(P)}{h}_i^{P_i}·{\prod }_{i\in {\mathsf{W}}_{P^{\prime }\overline{P}}}{h}_i^{-P_i}$ = ${\prod }_{i\in {\mathsf{W}}_{{\overline{P}}^{\prime }\overline{P}}}{h}_i^{P_i}$. Similarly, since ${\mathsf{W}}_{P^{\prime }P}$$\cup {\mathsf{W}}_{P^{\prime }\overline{P}}$ = $W(P^{\prime })$ and ${\mathsf{W}}_{P^{\prime }P}$$\cap {\mathsf{W}}_{P^{\prime }\overline{P}}$ = ∅, ${\prod }_{i\in {\mathsf{W}}_{P^{\prime }P}}{h}_i^t·{\prod }_{i\in {\mathsf{W}}_{P^{\prime }\overline{P}}}{h}_i^t$ = ${\prod }_{i\in W(P^{\prime })}{h}_i^t$. Therefore,

$$\begin{array}{cc}\hfill a_1^{\prime }& =g_2^{\alpha }{(g_3·\prod _{i\in {\mathsf{W}}_{{\overline{P}}^{\prime }\overline{P}}}{h}_i^{P_i}·\prod _{i\in {\mathsf{W}}_{{\overline{P}}^{\prime }P}}{h}_i^{P_i^{\prime }})}^r·\prod _{i\in W(P^{\prime })}{h}_i^t.\hfill \end{array}$$

Since $P\approx P^{\prime }$, $P_i=P_i^{\prime }$ for $i\in {\mathsf{W}}_{{\overline{P}}^{\prime }\overline{P}}$.

$$\begin{array}{cc}\hfill a_1^{\prime }& =g_2^{\alpha }{(g_3·\prod _{i\in {\mathsf{W}}_{{\overline{P}}^{\prime }\overline{P}}}{h}_i^{P_i^{\prime }}·\prod _{i\in {\mathsf{W}}_{{\overline{P}}^{\prime }P}}{h}_i^{P_i^{\prime }})}^r·\prod _{i\in W(P^{\prime })}{h}_i^t.\hfill \end{array}$$

Since ${\mathsf{W}}_{{\overline{P}}^{\prime }\overline{P}}$$\cup {\mathsf{W}}_{{\overline{P}}^{\prime }P}$ = $\overline{W}(P^{\prime })$ and ${\mathsf{W}}_{{\overline{P}}^{\prime }\overline{P}}$$\cap {\mathsf{W}}_{{\overline{P}}^{\prime }P}$ = ∅, ${\prod }_{i\in {\mathsf{W}}_{{\overline{P}}^{\prime }\overline{P}}}{h}_i^{P_i^{\prime }}·{\prod }_{i\in {\mathsf{W}}_{{\overline{P}}^{\prime }P}}{h}_i^{P_i^{\prime }}$ = ${\prod }_{i\in \overline{W}(P^{\prime })}{h}_i^{P_i^{\prime }}$.

$$\begin{array}{cc}\hfill a_1^{\prime }& =g_2^{\alpha }{(g_3·\prod _{i\in \overline{W}(P^{\prime })}{h}_i^{P_i^{\prime }})}^r·\prod _{i\in W(P^{\prime })}{h}_i^t.\hfill \end{array}$$

$$\begin{array}{cc}\hfill & \frac{e(a_2,C_2)·e(a_3,C_4)}{e(C_1,a_1^{\prime })}\hfill \\ \hfill & =\frac{e(g^r,{(g_3·{\prod }_{i\in \overline{W}(P^{\prime })}{h}_i^{P_i^{\prime }})}^s)·e(g^t,{({\prod }_{i\in W(P^{\prime })}{h}_i)}^s)}{e(g^s,g_2^{\alpha }{(g_3·{\prod }_{i\in \overline{W}(P^{\prime })}{h}_i^{P_i^{\prime }})}^r·{\prod }_{i\in W(P^{\prime })}{h}_i^t)}\hfill \\ \hfill & =\frac{1}{e{(g,g_2)}^{s\alpha }}=\frac{1}{e{(g_1,g_2)}^s}.\hfill \end{array}$$

4.3. Security Proof

In this section, we show the formal proof for IND-sID-CPA-security of SWIBE scheme in the standard model.

Theorem 1.

Let $\mathbb{G}$ be a bilinear group of prime order p. Suppose the decisional $(t,ϵ,L)$-BDHE assumption holds in $\mathbb{G}$. Then our SWIBE is $(t^{\prime },q_K,0,ϵ,L)$ sID-CPA secure for arbitrary L, and $t^{\prime }<t-O(L\mathbf{e}+\mathbf{p})$, where $\mathbf{e}$ and $\mathbf{p}$ denote the execution times of scalar multiplication and pairing in $\mathbb{G}$, respectively.

Proof. 

Suppose $\mathcal{A}$ has advantage $ϵ$ in attacking the SWIBE scheme. Using $\mathcal{A}$, we build an algorithm $\mathcal{B}$ that solves the (decisional) L-BDHE problem in $\mathbb{G}$.

For a generator $g\in \mathbb{G}$ and $\alpha \in {\mathbb{Z}}_p^{*}$, let $y_i=g^{{\alpha }^i}\in \mathbb{G}$. Algorithm $\mathcal{B}$ is given as input a random tuple ($g,h,y_1,\cdots$, $y_L$, $y_{L+2}$, $\cdots$, $y_{2L}$, T) that is either chosen from $P_{BDHE}$ where $T=e{(g,h)}^{({\alpha }^{L+1})}$ or from $R_{BDHE}$ where T is uniformly distributed in ${\mathbb{G}}_1$. The goal of algorithm $\mathcal{B}$ is to output 1 when the input is sampled from $P_{BDHE}$ and 0 otherwise. Algorithm $\mathcal{B}$ interacts with $\mathcal{A}$ in a selective subset game as follows:

Init: The game begins with $\mathcal{A}$ first outputting an identity vector $P^{*}=(P_1^{*},\cdots ,P_L^{*})$ ${\in }_{*}{({\mathbb{Z}}_p^{*}\cup \{*\})}^L$.

Setup: To generate the public parameter, algorithm $\mathcal{B}$ picks a random $\gamma$ in ${\mathbb{Z}}_p$ and sets $g_1=y_1=g^{\alpha }$ and $g_2=y_L{g}^{\gamma }=g^{\gamma +({\alpha }^L)}$. Next, $\mathcal{B}$ picks random ${\gamma }_i\in {\mathbb{Z}}_p^{*}$ for $i=1,\cdots ,L$, and sets $h_i=g^{{\gamma }_i}/y_{L-i+1}$ for $i\in \overline{W}(P^{*})$ and $h_i=g^{{\gamma }_i}$ for $i\in W(P^{*})$. Algorithm $\mathcal{B}$ also picks a random $\delta$ in ${\mathbb{Z}}_p^{*}$ and sets $g_3=g^{\delta }{\prod }_{i\in \overline{W}(P^{*})}^L{y}_{L-i+1}^{P_i^{*}}$.

Key derivation queries: Suppose that adversary $\mathcal{B}$ queries a key derivation query for pattern $P=(P_1,\cdots ,P_L){\in }_{*}{({\mathbb{Z}}_p^{*}\cup \{*\})}^L$. The definition of the security experiment says that $P^{*}{\notin }_{*}P$. Therefore, there exists an index $k\in \overline{W}(P)$ such that $P_k\ne P_k^{*}$. We define k to be the smallest one among all possible indices. $\mathcal{B}$ picks two random $\tilde{r},\tilde{t}\in Z_p^{*}$ and (implicitly) sets $r\leftarrow -\frac{{\alpha }^k}{P_k^{*}-P_k}+\tilde{r}$ and $t\leftarrow r·P_k^{*}+\tilde{t}$. Secret key $s{k}_P=(a_1,a_2,a_3,b,c,d)$ for P is constructed as

$$\begin{array}{cc}\hfill a_1& =g_2^{\alpha }·{(g_3\prod _{i\in \overline{W}(P)h_i^{P_i}})}^r;a_2=g^r;a_3=g^t\hfill \\ \hfill b& ={\{b_i=h_i^r\}}_{i\in W(P)}\hfill \\ \hfill c& ={\{c_i=h_i^t\}}_{i\in W(P)}\hfill \\ \hfill d& ={(d_i=h_i^t/h_i^{P_i^{*}r})}_{i\in \overline{W}(P)}\hfill \end{array}$$

We have

$$\begin{array}{cc}\hfill & {(g_3\prod _{i\in \overline{W}(P)}{h}_i^{P_i})}^r={(g^{\delta }\prod _{i\in \overline{W}(P)}{y}_{L-i+1}^{P_i^{*}}\prod _{i\in \overline{W}(P)}{g}^{{\gamma }_i{P}_i}{y}_{L-i+1}^{-P_i})}^r\hfill \\ \hfill =& {(g^{\delta +{\sum }_{i\in \overline{W}(P)}{P}_i{\gamma }_i}·\prod _{i\in \overline{W}(P)\setminus \{k\}}{y}_{L-i+1}^{P_i^{*}-P_i}·y_{L-k+1}^{P_k^{*}-P_k}·\prod _{i\in W(P)}{y}_{L-i+1}^{P_i^{*}})}^r\hfill \end{array}$$

We split this term up into two factors $A·Z$, where $A={(y_{L-k+1}^{P_k^{*}-P_k})}^r$ is the third product only. We can check that Z can be computed by $\mathcal{A}$, i.e., the terms $y_i$ only appear with indices $i\in \{1,\cdots ,L\}$. Term A can be expressed as

$$\begin{array}{c}\hfill A=g^{{\alpha }^{L-k+1}(P_k^{*}-P_k)(-\frac{{\alpha }^k}{P_k^{*}-P_k}+\tilde{r})}=y_{L+1}^{-1}·y_{L-k+1}^{(P_k^{*}-P_k)\tilde{r}}\end{array}$$

Hence,

$$\begin{array}{cc}\hfill a_1=& g_2^{\alpha }·A·Z=y_{L+1}{y}_1^{\gamma }·y_{L+1}^{-1}{y}_{L-k+1}^{(P_k^{*}-P_k)\tilde{r}}·Z=y_1^{\gamma }·y_{L-k+1}^{(P_k^{*}-P_k)\tilde{r}}·Z\hfill \end{array}$$

can be computed by $\mathcal{A}$. Furthermore,

$$\begin{array}{c}\hfill g^r=g^{-\frac{{\alpha }^k}{P_k^{*}-P_k}+\tilde{r}}=y_k^{-\frac{1}{P_k^{*}-P_k}}·g^{\tilde{r}}\end{array}$$

and for each $i\in W(P)$,

$$\begin{array}{cc}\hfill h_i^r& ={(g^{{\gamma }_i}/y_{L-i+1})}^{-\frac{{\alpha }^k}{P_k^{*}-P_k}+\tilde{r}}=y_k^{-\frac{{\gamma }_i}{P_k^{*}-P_k}}{y}_{L+k-i+1}^{\frac{1}{P_k^{*}-P_k}}·g^{{\gamma }_i\tilde{r}}·y_{L-i+1}^{-\tilde{r}}\hfill \\ \hfill h_i^t& ={(h_i)}^{r·P_k^{*}+\tilde{t}}=h_i^{P_k^{*}r}·h_i^{\tilde{t}}=y_k^{-\frac{{\gamma }_i{P}_k^{*}}{P_k^{*}-P_k}}{y}_{L+k-i+1}^{\frac{P_k^{*}}{P_k^{*}-P_k}}·g^{{\gamma }_i(\tilde{r}{P}_k^{*}+\tilde{t})}·y_{L-i+1}^{-(\tilde{r}{P}_k^{*}+\tilde{t})}\hfill \end{array}$$

can be computed since $k\notin W(P)$.

And for each $i\in \overline{W}(P)$,

$$\begin{array}{cc}\hfill h_i^t/h_i^{P_i^{*}r}& =h_i^{r{P}_k^{*}+\tilde{t}}/h_i^{P_i^{*}r}=h_i^{(P_k^{*}-P_i^{*})r+\tilde{t}}={(g^{{\gamma }_i}/y_{L-i+1})}^{(P_k^{*}-P_i^{*})(-\frac{{\alpha }^k}{P_k^{*}-P_k}+\tilde{r})+\tilde{t}}\hfill \\ \hfill =& {(y_k^{-\frac{{\gamma }_i}{P_k^{*}-P_k}}{y}_{L+k-i+1}^{\frac{1}{P_k^{*}-P_k}}·g^{{\gamma }_i\tilde{r}}·y_{L-i+1}^{-\tilde{r}})}^{(P_k^{*}-P_i^{*})}·{(g^{{\gamma }_i}/y_{L-i+1})}^{\tilde{t}}.\hfill \end{array}$$

If $i=k$, $P_k^{*}-P_i^{*}=0$. So $\mathcal{A}$ can compute it. Otherwise also $\mathcal{A}$ can compute it since $i\ne k$ and $y_{L+1}$ does not appear in the equation.

Challenge: For the challenge, $\mathcal{B}$ computes $C_1$, $C_2$, and $C_4$ as h, $h^{\delta +{\sum }_{i\in \overline{W}(P^{*})}({\gamma }_i{P}_i^{*})}$, and $h^{{\sum }_{i\in W(P^{*})}{\gamma }_i}$. Then, it selects a random bit $b\in \{0,1\}$ and sets $C_3=m_b·T·e{(y_1,h)}^{\gamma }$. It returns $C=(C_1,C_2,C_3,C_4)$ as a challenge to $\mathcal{A}$. We claim that if $T=e{(g,h)}^{({\alpha }^{L+1})}$ (i.e., the input to $\mathcal{B}$ is an L-BDHE tuple) then $(C_1,C_2,C_3,C_4)$ is a valid challenge to $\mathcal{A}$ as in a real attack. To see this, write $h=g^c$ for some (unknown) $c\in {\mathbb{Z}}_p^{*}$. Then

$$\begin{array}{cc}\hfill h^{\delta +{\sum }_{i\in \overline{W}(P^{*})}({\gamma }_i{P}_i^{*})}& ={(g^{\delta +{\sum }_{i\in \overline{W}(P^{*})}({\gamma }_i{P}_i^{*})})}^c\hfill \\ \hfill & ={(g^{\delta }·\prod _{i\in \overline{W}(P^{*})}{y}_{L-i+1}^{P_i^{*}}\prod _{i\in \overline{W}(P^{*})}{(\frac{g^{{\gamma }_i}}{y_{L-i+1}})}^{P_i^{*}})}^c={(g_3\prod _{i\in \overline{W}(P^{*})}{h}_i^{P_i^{*}})}^c,\hfill \\ \hfill h^{{\sum }_{i\in W(P^{*})}{\gamma }_i}& ={(g^{{\sum }_{i\in W(P^{*})}{\gamma }_i})}^c={(\prod _{i\in W(P^{*})}{g}^{{\gamma }_i})}^c\hfill \end{array}$$

and

$$\begin{array}{cc}\hfill & e{(g,h)}^{({\alpha }^{L+1})}·e{(y_1,h)}^{\gamma }=e{(y_1,y_L)}^c·e{(y_1,g)}^{\gamma ·c}=e{(y_1,y_L{g}^{\gamma })}^c=e{(g_1,g_2)}^c.\hfill \end{array}$$

Therefore, by definition, $e{(y_{L+1},g)}^c=e{(g,h)}^{({\alpha }^{L+1})}=T$ and hence $C=(C_1,C_2,$$C_3,C_4)$ is a valid challenge to $\mathcal{A}$. On the other hand, when T is randomly chosen in ${\mathbb{G}}_1$ (i.e., the input to $\mathcal{B}$ is a random tuple) then $C_3$ is just a random independent element in ${\mathbb{G}}_1$ to $\mathcal{A}$.

Guess: Finally, $\mathcal{A}$ outputs a guess $b^{\prime }\in \{0,1\}$. Algorithm $\mathcal{B}$ terminates its own game by outputting a guess as follows. If $b=b^{\prime }$ then $\mathcal{B}$ outputs 1 meaning $T=e{(g,h)}^{({\alpha }^{L+1})}$. Otherwise, it outputs 0 denoting that T is random in ${\mathbb{G}}_1$.

When the input tuple is chosen from $P_{BDHE}$ (where $T=e{(g,h)}^{({\alpha }^{L+1})}$) then $\mathcal{A}$ satisfies $\left|Pr\right[b=b^{\prime }]-1/2|\ge ϵ$. When the input tuple is selected from $R_{BDHE}$ (where T is uniform in ${\mathbb{G}}_1$) then $Pr[b=b^{\prime }]=1/2$. Therefore, with $g,h$ uniform in $\mathbb{G}$, $\alpha$ uniform in ${\mathbb{Z}}_p$, and T uniform in ${\mathbb{G}}_1$ we have that

$$\begin{array}{cc}\hfill |& Pr[B(g,h,{\overrightarrow{y}}_{g,\alpha ,L},e{(g,h)}^{({\alpha }^{L+1})})=0]-Pr[B(g,h,{\overrightarrow{y}}_{g,\alpha ,L},T)=0]|\ge |(1/2+ϵ)-1/2|=ϵ\hfill \end{array}$$

□

5. Extension to CCA Security

In this section, we show the extension of CPA-secure SWIBE to satisfy CCA-security, by applying the similar technique from the extension in [19]. Given any one-time signature scheme $(SigKeygen,$$Sign,$$Verify)$ with a verification key as a q-bit string, we construct an L-level SWIBE $\mathsf{\Pi }=(\mathsf{Setup}$, $\mathsf{KeyDer}$, $\mathsf{Encrypt}$, $\mathsf{Decrypt})$ secure against chosen-ciphertext attacks using the $(L+1)$-level ${\mathsf{\Pi }}^{\prime }=({\mathsf{Setup}}^{\prime },$${\mathsf{KeyDer}}^{\prime }$ ${\mathsf{Encrypt}}^{\prime }$, ${\mathsf{Decrypt}}^{\prime })$ semantically secure SWIBE. The idea is that $P=(P_1,\cdots ,P_L)\in \{{\mathbb{Z}}_p^{*}$∪${\{*\}\}}^L$ in $\mathsf{\Pi }$ is mapped to $P^{\prime }=(P_1$, $\cdots$, $P_L$, $*)$ $\in \{{\mathbb{Z}}_p^{*}$ ∪ ${\{*\}\}}^{L+1}$ in ${\mathsf{\Pi }}^{\prime }$. Thus, the secret key $s{k}_P$ for P in $\mathsf{\Pi }$ is the secret key $s{k}_{P^{\prime }}$ in ${\mathsf{\Pi }}^{\prime }$. Recall that $s{k}_{P^{\prime }}^{\prime }$ can generate secret keys for all descendants of node $P^{\prime }$. When encrypting a message m to $P_C=(P_{C_1},\cdots ,P_{C_L})$ in $\mathsf{\Pi }$, the sender generates a q-bit verification key $V_{sig}\in {\mathbb{Z}}_p^{*}$ and encrypts m to $P_C^{\prime }=(P_{C_1},\cdots ,P_{C_L},V_{sig})$ using ${\mathsf{\Pi }}^{\prime }$.

The construction of L-level $\mathsf{\Pi }$ utilizing $(L+1)$-level ${\mathsf{\Pi }}^{\prime }$ and a one-time signature scheme is as follows:

Setup(L) runs ${\mathsf{Setup}}^{\prime }$$(L+1)$ to obtain $(p{p}^{\prime },ms{k}^{\prime })$. Given $p{p}^{\prime }\leftarrow (g,g_1,g_2,g_3,h_1$, $\cdots$, $h_{L+1})$ and $ms{k}^{\prime }$, the public parameter is $pp\leftarrow (g,g_1,g_2,g_3,h_1,\cdots ,h_L)$ and the master secret key is $msk\leftarrow ms{k}^{\prime }$.

KeyDer($pp$, $s{k}_P$, $P_{new}$) is the same as the ${\mathsf{KeyDer}}^{\prime }$ algorithm.

Encrypt($pp,P,m$) runs $SigKeyGen(1^L)$ algorithm to obtain a signature signing key $K_{sig}$ and a verification key $V_{sig}$. For a given pattern $P=(P_1,\cdots ,P_L)$, encode P to $P^{\prime }=(P_1,\cdots ,P_L,V_{sig})$, compute $C\leftarrow {\mathsf{Encrypt}}^{\prime }$ $(p{p}^{\prime },P^{\prime },m)$ and $\sigma \leftarrow Sign(K_{sig},C)$, and output $CT=(C,\sigma ,V_{sig})$

Decrypt($s{k}_P,CT,P_C$): Let $CT=(C,\sigma ,V_{sig})$.

• Verify that $\sigma$ is the valid signature of C under the key $V_{sig}$. If invalid, output ⊥.
• Otherwise, check $P\approx P_C$, generate $s{k}_{P^{\prime }}$$\leftarrow {\mathsf{KeyDer}}^{\prime }$$(s{k}_P$, $P^{\prime })$ for $P^{\prime }=(P_1,\cdots ,P_L,V_{sig})$, and run ${\mathsf{Decrypt}}^{\prime }$ ($s{k}_{P^{\prime }}$, C, $P_C$) to extract the message.

Theorem 2.

Let $\mathbb{G}$ be a bilinear group of prime order p. The above SWIBE Π is $(t,q_K,q_D$, ${ϵ}_1$+${ϵ}_2$, $L)$ CCA-secure assuming the SWIBE ${\mathsf{\Pi }}^{\prime }$ is $(t^{\prime }$, $q_K^{\prime }$, 0, ${ϵ}_1,$$L+1)$ semantically secure in $\mathbb{G}$ and signature scheme is $(t^{\prime \prime }$, ${ϵ}_2)$ strongly existentially unforgeable with $q_K<q_K^{\prime }$, $t<t^{\prime }-(L\mathbf{e}+3\mathbf{p})q_D-t_s$, where $\mathbf{e}$ is exponential time, $\mathbf{p}$ is pairing time, and $t_s$ is sum of $SigKeyGen$, $Sign$ and $Verify$ computation time.

Proof. 

Assume there exists a t-time adversary, $\mathcal{A}$, such that $|AdvB{r}_{\mathcal{A},\mathsf{\Pi }}-1/2|>{ϵ}_1+{ϵ}_2$. We build an algorithm $\mathcal{B}$, which has advantage $|AdvB{r}_{B,{\mathsf{\Pi }}^{\prime }}-1/2|>{ϵ}_1$ in $\mathbb{G}$. Algorithm $\mathcal{B}$ proceeds as follows.

Setup: $\mathcal{B}$ gets the public parameter $pp$ of ${\mathsf{\Pi }}^{\prime }$ and also gets secret keys $s{k}_{P^{\prime }}^{\prime }$ for $P^{\prime }\neg \approx S^{**}$ from challenger $\mathcal{C}$.

Since ${\mathsf{\Pi }}^{\prime }$ generates secret keys in a compressed way using wildcard *, $P^{\prime }$ can be categorized into the following two cases:

• $P^{\prime }=(P_1,\cdots ,P_L,*)$ for $P{\notin }_{*}{P}^{*}$
• $P^{\prime }=(P_1,\cdots ,P_L,V_{sig})$ for $P{\in }_{*}{P}^{*}$ and $V_{sig}\ne V_{sig}^{*}$.

$\mathcal{B}$ responds with $pp$ and secret keys $s{k}_{P^{\prime }}^{\prime }$ of the first type of $P^{\prime }$. (Recall that the secret key $s{k}_P=s{k}_{P^{\prime }}^{\prime }$ where $P^{\prime }=(P_1,\cdots ,P_L,*$.) The secret keys $s{k}_{P^{\prime }}^{\prime }$ of the second type of $P^{\prime }$ are utilized to respond to the decryption queries of $\mathcal{A}$ as described in the below.

Query phase1: Algorithm $\mathcal{A}$ issues decryption queries. Let $(P,CT)$ be a decryption query where $P{\in }_{*}{P}^{*}$ and $P\approx P_C$ where $P_C$ is a pattern of ciphertext. Let $CT=($ $(C_1,C_2,C_3,C_4)$, $\sigma$, $V_{sig})$. Algorithm $\mathcal{B}$ responds as following:

• Execute $Verify$ to verify the signature $\sigma$ on $(C_1,C_2,C_3,C_4)$ using verification key $V_{sig}$. If the signature is invalid, then $\mathcal{B}$ responds with ⊥.
• If $V_{sig}=V_{sig}^{*}$, a forge event occurs, algorithm $\mathcal{B}$ outputs a random bit $b\stackrel{\$}{\leftarrow }\{0,1\}$ and aborts the simulation.
• Otherwise, $\mathcal{B}$ decrypts the ciphertext $CT$ using the second type of secret keys. Since $V_{sig}\ne V_{sig}^{*}$, $\mathcal{B}$ can query the key generation query for $P^{\prime }=(P_1,\cdots ,P_L$, $V_{sig})$ which is second type pattern. Using $s{k}_{P^{\prime }}$, B can decrypt $m\leftarrow {\mathsf{Decrypt}}^{\prime }($$s{k}_{P^{\prime }}$, $(C_1,C_2,C_3,C_4),P_C^{\prime })$ where $P_C^{\prime }=(P_1,\cdots ,P_L$, $V_{sig})$ since $P^{\prime }=P_C^{\prime }$.

Challenge:$\mathcal{A}$ gives the challenge $(m_0,m_1)$ to $\mathcal{B}$. $\mathcal{B}$ gives the challenge $(m_0,m_1)$ to $\mathcal{C}$ and gets the challenge $(C{T}_b)$ from $\mathcal{C}$. To generate challenge for $\mathcal{A}$, algorithm $\mathcal{B}$ computes $C^{*}$ as follows:

$$\begin{array}{cc}\hfill & {\sigma }^{*}\leftarrow Sign(C{T}_b,K_{sig}^{*})\hfill \\ & C^{*}\leftarrow (C{T}_b,{\sigma }^{*},V_{sig}^{*})\hfill \end{array}$$

$\mathcal{B}$ replies $C^{*}$ to $\mathcal{A}$.

Query phase2: Same as in query phase1 except can not decrypt query for C*.

Guess: The $\mathcal{A}$ outputs a guess $b\in \{0,1\}$. $\mathcal{B}$ outputs b.

We see that algorithm $\mathcal{B}$ can simulate all queries to run $\mathcal{A}$. $\mathcal{B}$’s success probability as follows:

$$\begin{array}{cc}\hfill |AdvB{r}_{B,{\mathsf{\Pi }}^{\prime }}-\frac{1}{2}|& \ge |AdvB{r}_{\mathcal{A},\mathsf{\Pi }}-\frac{1}{2}|-Pr\left[\mathit{forge}\right]>({ϵ}_1+{ϵ}_2)-Pr\left[\mathit{forge}\right]\hfill \end{array}$$

To conclude the proof of Theorem 2, the remaining process is to bound the probability that $\mathcal{B}$ aborts the simulation as a result of forge, which we claim as $Pr\left[\mathit{forge}\right]<{ϵ}_2$. Otherwise, one can use $\mathcal{A}$ to forge signatures with a probability of at least ${ϵ}_2$. In brief, we can construct another simulator which knows the private key, but receives $K_{sig}^{*}$ as a challenge in an existential forgery game.

In the experiment above, $\mathcal{A}$ aborts by submitting a query which includes an existential forgery under $K_{sig}^{*}$ on some ciphertexts. Our simulator utilizes the forgery to win the existential forgery game. Note that a single chosen message query is asked by adversary $\mathcal{A}$ to generate a signature for the challenge ciphertext. Thus, $Pr\left[\mathit{forge}\right]<{ϵ}_2$. It now follows that $\mathcal{B}$’s advantage is at least ${ϵ}_1$ as required.  □

6. Fully Secure Scheme

In this section, we present a new version of SWIBE based on composite order bilinear groups, to obtain full security (IND-ID-CPA) instead of selective security (IND-sID-CPA). In the original SWIBE scheme (Section 4), the security proof was limited to the selective security, since the scheme was bound to a single group. In this case, if the challenge pattern is not committed before the game, the reduction algorithm cannot simulate secret keys (without knowing the secret factor $\alpha$) for key queries from the adversary. To resolve this issue, we now construct the scheme with parameters from multiple subgroups similar to [14], using the fact that it is difficult to determine from which group the element came from. When using the subgroup assumptions, for each pattern, the reduction can both simulate the secret key in one subgroup and embed the problem in another subgroup. Therefore, the full security can be achieved. We first introduce the definition and features of composite order bilinear groups. Then we show the decisional subgroup assumptions from Lewko and Waters (LW.1–LW.3), and present our composite order (fully-secure) SWIBE which also has a constant-size ciphertext. Finally, we prove the full security of our composite order SWIBE based on LW assumptions.

6.1. Composite Order Bilinear Groups

We describe the composite order bilinear groups as in [14]. We use groups where the order is a product of three primes and a generator G which takes security parameter $\lambda$ as input and generates a description $\mathcal{G}=(N=p_1{p}_2{p}_3,\mathbb{G},{\mathbb{G}}_T,e)$ where $p_1,p_2,p_3$ are distinct primes of $\mathsf{\Theta }(\lambda )$ bits, $\mathbb{G}$ and ${\mathbb{G}}_T$ are cyclic groups of order N. For $a,b,c\in \{1,p_1,p_2,p_3\}$, we denote the subgroup of order $abc$ as ${\mathbb{G}}_{abc}$. Considering the fact that the group is cyclic, it is easy to verify that if g and h are group elements of different order (belonging to different subgroups), then $e(g,h)=1$.

6.2. Complexity Assumptions

We first restate the complexity assumptions we use, which were originally introduced by Lewko and Waters in [20] and used in [14].

Assumption LW.1: For a generator G of bilinear settings, first pick a bilinear setting $\mathcal{G}\stackrel{\$}{\leftarrow }\mathsf{G}(1^{\lambda })$ and then pick $g_1,T_1\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_1},g_3\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_3},T_2\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_1{p}_2}$ and set $D=(\mathcal{G},g_1,g_3)$. We define the advantage of an algorithm $\mathcal{A}$ in breaking Assumption 1 to be: ${\mathsf{Adv}}_{LW.1}^{\mathcal{A}}(\lambda )=|Pr[\mathcal{A}(D,T_1)=1]-Pr[\mathcal{A}(D,T_2)=1]|$.

Assumption LW.2: For a generator G of bilinear settings, first pick a bilinear setting $\mathcal{G}\stackrel{\$}{\leftarrow }\mathsf{G}(1^{\lambda })$ and then pick $g_1,X_1\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_1},X_2,Y_2\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_2},g_3,X_3\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_3},T_1\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_1{p}_3},T_2\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_1{p}_2{p}_3}$ and set $D=(\mathcal{G},g_1,g_3,X_1{X}_2,Y_2{X}_3)$. We define the advantage of an algorithm $\mathcal{A}$ in breaking Assumption 2 to be: ${\mathsf{Adv}}_{LW.2}^{\mathcal{A}}(\lambda )=|Pr[\mathcal{A}(D,T_1)=1]-Pr[\mathcal{A}(D,T_2)=1]|$.

Assumption LW.3: For a generator G of bilinear settings, first pick a bilinear setting $\mathcal{G}\stackrel{\$}{\leftarrow }\mathsf{G}(1^{\lambda })$ and then pick $\alpha ,\delta ,s\stackrel{\$}{\leftarrow }{Z}_N,g_1\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_1},g_2,X_2,Y_2\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_2},g_3\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_3},T_2\stackrel{\$}{\leftarrow }{\mathbb{G}}_T$ and set $T_1=e{(g_1,g_1^{\delta })}^{\alpha s}$ and $D=(\mathcal{G},g_1,g_2,g_3,g_1^{\alpha }{X}_2,g_1^{\delta },g_1^s{Y}_2)$. We define the advantage of an algorithm $\mathcal{A}$ in breaking Assumption 3 to be: ${\mathsf{Adv}}_{LW.1}^{\mathcal{A}}(\lambda )=|Pr[\mathcal{A}(D,T_1)=1]-Pr[\mathcal{A}(D,T_2)=1]|$.

6.3. Fully-Secure SWIBE Construction

We present the fully-secure SWIBE with constant size ciphertexts and $O(L)$ size keys, which is based on the composite order bilinear group ($N=p_1{p}_2{p}_3$). Note that W from subgroup ${\mathbb{G}}_{p_3}$ is only a blinding factor, to be eliminated when computed in a pairing operation (due to the orthogonal property of composite order bilinear groups).

Setup(L):L indicates the maximum hierarchy depth. Choose a description of a bilinear group $\mathcal{G}\stackrel{\$}{\leftarrow }\mathsf{G}(1^{\lambda })$ with known factorization and $g_1,k_1\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_1},g_3\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_3}$. Choose $\alpha \stackrel{\$}{\leftarrow }{\mathbb{Z}}_N$ and ${\{h_i\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_1}\}}_{i\in \left[L\right]}$, and compute $\gamma =g_1^{\alpha }$.

The public parameter is given by

$$\begin{array}{cc}\hfill pp& \leftarrow (N,g_1,\gamma ,k_1,g_3,h_1,h_2,\cdots ,h_L).\hfill \end{array}$$

A master secret key is defined as $msk=k_1^{\alpha }$.

KeyDer($pp$, $s{k}_P$, $P^{\prime }$): To compute secret key $s{k}_{P^{\prime }}$ according to pattern $P^{\prime }=(P_1^{\prime },\cdots ,P_L^{\prime })\in {({\mathbb{Z}}_p^{*}\cup \{*\})}^L$ from the master secret key, first two randoms $r,t\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N$ are chosen. Then random blinding factors from different subgroup $W_1,W_2,W_3\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_3}$, ${\{W_{a,i},W_{d,i}\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_3}\}}_{i\in \overline{W}(P)}$, and ${\{W_{b,i},W_{c,i}\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_3}\}}_{i\in W(P)}$ are chosen. Secret key $s{k}_{P^{\prime }}=(a_1^{\prime },a_2^{\prime },a_3^{\prime },b^{\prime },c^{\prime },d^{\prime })$ for $P^{\prime }$ is constructed as

$$\begin{array}{cc}\hfill a_1^{\prime }& =msk·\prod _{i\in \overline{W}(P^{\prime })}{(h_i^{P_i^{\prime }}·W_{a,i})}^r·W_1\hfill \\ \hfill a_2^{\prime }& =g_1^r·W_2\hfill \\ \hfill a_3^{\prime }& =g_1^t·W_3\hfill \\ \hfill b^{\prime }& ={\{b_i^{\prime }=h_i^r·W_{b,i}\}}_{i\in W(P^{\prime })}\hfill \\ \hfill c^{\prime }& ={\{c_i^{\prime }=h_i^t·W_{c,i}\}}_{i\in W(P^{\prime })}\hfill \\ \hfill d^{\prime }& ={\{d_i^{\prime }=h_i^t/h_i^{P_i^{\prime }r}·W_{d,i}\}}_{i\in \overline{W}(P^{\prime })}\hfill \end{array}$$

In order to generate secret key $s{k}_{P^{\prime }}$ for a pattern $P^{\prime }$ from secret key $s{k}_P=(a_1,a_2,a_3,b,c)$ for a pattern P such that $P^{\prime }{\in }_{*}P$, simply choose two randoms $r^{\prime },t^{\prime }\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N$, and blinding randoms $W_1^{\prime },W_2^{\prime },W_3^{\prime }\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_3}$, ${\{W_{a,i}^{\prime },W_{d,i}^{\prime }\}}_{i\in \overline{W}(P^{\prime })}$, and ${\{W_{b,i}^{\prime },W_{c,i}^{\prime }\}}_{i\in W(P^{\prime })}$ and output $s{k}_{P^{\prime }}=(a_1^{\prime },a_2^{\prime },a_3^{\prime },b^{\prime },c^{\prime },d^{\prime })$, where

$$\begin{array}{cc}\hfill a_1^{\prime }& =a_1·(\prod _{i\in \overline{W}(P^{\prime })\cap W(P)}{b}_i^{P_i^{\prime }})·\prod _{i\in \overline{W}(P^{\prime })}{(h_i^{P_i^{\prime }}·W_{a,i}^{\prime })}^{r^{\prime }},\hfill \\ \hfill a_2^{\prime }& =a_2·g_1^{r^{\prime }}\hfill \\ \hfill a_3^{\prime }& =a_3·g_1^{t^{\prime }}\hfill \\ \hfill b^{\prime }& ={\{b_i^{\prime }=b_i·h_i^{r^{\prime }}·W_{b,i}^{\prime }\}}_{i\in W(P^{\prime })}\hfill \\ \hfill c^{\prime }& ={\{c_i^{\prime }=c_i·h_i^{t^{\prime }}·W_{c,i}^{\prime }\}}_{i\in W(P^{\prime })}\hfill \\ \hfill d^{\prime }& ={\{d_i^{\prime }=d_i·\frac{h_i^{t^{\prime }}}{h_i^{P_i^{\prime }{r}^{\prime }}}·W_{d,i}^{\prime }\}}_{i\in \overline{W}(P^{\prime })\cap \overline{W}(P)}\hfill \\ & \cup {\{d_i^{\prime }=\frac{c_i}{b_i^{P_i^{\prime }}}·\frac{h_i^{t^{\prime }}}{h_i^{P_i^{\prime }{r}^{\prime }}}·W_{d,i}^{\prime }\}}_{i\in \overline{W}(P^{\prime })\cap W(P)}\hfill \end{array}$$

Encrypt($pp$, P, m): To encrypt a message $m\in \mathcal{G}$ to pattern $P=(P_1,\cdots ,P_L)$ under $pp$, choose $s\stackrel{\$}{\leftarrow }{\mathbb{Z}}_p^{*}$, and compute $C=(C_1,C_2,C_3,C_4)$

$$\begin{array}{cccc}\hfill C_1& =g_1^s,\hfill & \hfill C_2& ={(\prod _{i\in \overline{W}(P)}{h}_i^{P_i})}^s\hfill \\ \hfill C_3& =m·e{(\gamma ,k_1)}^s,\hfill & \hfill C_4& ={(\prod _{i\in W(P)}{h}_i)}^s\hfill \end{array}$$

Decrypt($s{k}_P$, C, $P^{\prime }$): The decryption is similar to the decryption in Section 4.2, since the elements in ${\mathbb{G}}_{p_1}$ will work in an equivalent way compared to the original SWIBE construction. Consider patterns P and $P^{\prime }\in (Z_p^{*}$∪${\{*\})}^L$, where P is a key pattern and $P^{\prime }$ is a ciphertext pattern. To decrypt a given ciphertext $C=(C_1,C_2,C_3,C_4)$ with private key $s{k}_P=(a_1,a_2,a_3,b,c,d)$, compute $a_1^{\prime }=a_1·{\prod }_{i\in \overline{W}(P^{\prime })\cap W(P)}{b}_i^{P_i^{\prime }}·{\prod }_{i\in W(P^{\prime })\cap W(P)}{c}_i·{\prod }_{i\in W(P^{\prime })\cap \overline{W}(P)}{d}_i$ and output

$$\begin{array}{c}\hfill C_3·\frac{e(a_2,C_2)·e(a_3,C_4)}{e(C_1,a_1^{\prime })}=m\end{array}$$

The fact that decryption works is similar to the decryption of original SWIBE construction in Section 4.2. Note that the blinding factors W from subgroup ${\mathbb{G}}_{p_3}$ make no difference, since they will be eliminated in the pairing operations due to the orthogonal property in Section 6.1.

6.4. Security Proof

In this section, we prove that our fully-secure SWIBE scheme in Section 6.3 is IND-ID-CPA-secure under the Lewko and Waters assumptions (LW.1–LW.3) in Section 6.2. The security proof is based on the hybrid games.

Before presenting hybrid games, we introduce two additional structures used in the proofs of security similar to [14,20]:

Semi-Functional (SF) Ciphertext. Let $g_2$ denote a generator of ${\mathbb{G}}_{p_2}$. An SF ciphertext is constructed as follows: we use the encryption algorithm to form a normal ciphertext $C^{\prime }\leftarrow [C_1^{\prime },C_2^{\prime },C_3^{\prime },C_4^{\prime }]$. We choose random exponents $x\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N$ and $z{c}_2,z{c}_4\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N$. Then we set: $C_1=C_1^{\prime }·g_2^x,C_2=C_2^{\prime }·g_2^{x·z{c}_2},C_3=C_3^{\prime },C_4=C_4^{\prime }·g_2^{x·z{c}_4}$.

Semi-Functional (SF) Keys. To generate a SF key, a normal secret key $(a_1^{\prime },a_2^{\prime },a_3^{\prime },b^{\prime },c^{\prime },d^{\prime })$ is first created, using the key derivation algorithm with $pp$, $msk$, and pattern P. Then randoms are chosen: $y,z{k}_1,z{k}_2,z{k}_3\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N$, ${(z{k}_{b,i},z{k}_{c,i}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N)}_{i\in W(P)}$, and ${(z{k}_{d,i}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N)}_{i\in \overline{W}(P)}$. Then the SF secret key is constructed as follows.

$$\begin{array}{cccc}\hfill a_1& =a_1^{\prime }·g_2^{y·z{k}_1},\hfill & \hfill b& ={\{b_i=b_i^{\prime }·g_2^{y·z{k}_{b,i}}\}}_{i\in W(P)}\hfill \\ \hfill a_2& =a_2^{\prime }·g_2^{y·z{k}_2},\hfill & \hfill c& ={\{c_i=c_i^{\prime }·g_2^{y·z{k}_{c,i}}\}}_{i\in W(P)}\hfill \\ \hfill a_3& =a_3^{\prime }·g_2^{y·z{k}_3},\hfill & \hfill d& ={\{d_i=d_i^{\prime }·g_2^{y·z{k}_{d,i}}\}}_{i\in \overline{W}(P)}\hfill \end{array}$$

Note that SF ciphertexts can be decrypted by normal secret keys and SF secret keys can be used to decrypt normal ciphertext. But an SF ciphertext, for pattern $P^{\prime }$, cannot be decrypted by an SF secret key. The decryption algorithm will compute the blinding factor multiplied by the additional term $e{(g_2,g_2)}^{xy·(z{k}_2·z{c}_2+z{k}_3·z{c}_4-z{k}_1)}$. If $z{k}_2·z{c}_2+z{k}_3·z{c}_4=z{k}_1$, decryption will still work. Such ciphertexts and secret keys are defined as nominally SF.

Theorem 3.

If Assumptions LW.1, LW.2, and LW.3 hold, then our fully-secure SWIBE scheme is IND-ID-CPA (or IND-WWID-CPA [14]) secure.

Proof. 

We prove the security via sets of hybrid games, and by showing that two games are computationally indistinguishable in each step. For the sketch of our proof, we first define the series of games. Let us assume PPT adversary $\mathcal{A}$ with q key queries. Then we define $q+5$ games between $\mathcal{A}$ and a challenger $\mathcal{C}$ as follows.

• ${\mathbf{Game}}_{\mathbf{real}}:$ It is the real IND-ID-CPA (or IND-WWID-CPA [14]) security game.
• ${\mathbf{Game}}_{\mathbf{gen}}:$ This game is same as $Gam{e}_{real}$, except the fact that all key queries from the adversary is answered by fresh key generation algorithm. In the security proof, we use the term key generation for the key delegation from $msk$, which is equivalent.
• ${\mathbf{Game}}_{\mathbf{pre}}:$ It is a same game as $Gam{e}_{gen}$, except the fact that the adversary cannot query for keys if the pattern is a prefix of the challenge pattern mod $p_2$. We say that the pattern P is a prefix of $P^{*}$ mod $p_2$ if there exists i s.t. $P_i\ne P_i^{*}$ mod N and $P_i=P_i^{*}$ mod $p_2$.
• ${\mathbf{Game}}_{\mathbf{0}}:$ It is a same game as $Gam{e}_{pre}$, except the fact that the challenge ciphertext $C_1\sim C_4$ is given as a SF ciphertext.
• ${\mathbf{Game}}_{\mathbf{1}\sim \mathbf{q}}:$ For k from 1 to q, $Gam{e}_k$ is same as $Gam{e}_0$ except the fact that the first k keys are given as SF keys. The other keys are given as normal keys from the key generation algorithm.
• ${\mathbf{Game}}_{\mathbf{rand}}:$ This game is same as $Gam{e}_q$, but where $C_3$ of challenge ciphertext has a random element in ${\mathbb{G}}_T$. Since $C_3$ is distorted with a random element, the ciphertext is now independent from the message and the adversary can have no advantage.

With the games defined above, we now introduce the outline of our hybrid games as follows.

• ${\mathbf{Game}}_{\mathbf{real}}={\mathbf{Game}}_{\mathbf{gen}}.$ Since the key generation algorithm has an identical distribution, it is exactly the same to call key delegation or fresh key generation from the adversary’s view.
• ${\mathbf{Game}}_{\mathbf{gen}}\approx {\mathbf{Game}}_{\mathbf{pre}}.$ We require that the adversary cannot obtain the key for prefix pattern of challenge ciphertext, to prevent the adversary to find the nominality in SF randoms. We prove the hybrid game by showing that prefix query itself can break the Assumption LW.2.
• ${\mathbf{Game}}_{\mathbf{pre}}\approx {\mathbf{Game}}_{\mathbf{0}}.$ We construct algorithm $\mathcal{B}$ which breaks Assumption LW.1 with a help of SWIBE CPA distinguisher $\mathcal{A}$. The nature of the challenge ciphertext (normal or SF) is decided by T given from the Assumption LW.1, which indicates that two games are indistinguishable from the adversary’s view.
• ${\mathbf{Game}}_{\mathbf{k}-\mathbf{1}}\approx {\mathbf{Game}}_{\mathbf{k}}.$ We construct algorithm $\mathcal{B}$ which breaks Assumption LW.2 with a help of SWIBE CPA distinguisher $\mathcal{A}$. The nature of the k-th key (normal or SF) is decided by T given from the Assumption LW.2, which indicates that two games are indistinguishable from the adversary’s view.
• ${\mathbf{Game}}_{\mathbf{q}}\approx {\mathbf{Game}}_{\mathbf{rand}}.$ We construct algorithm $\mathcal{B}$ which breaks Assumption LW.3 with a help of SWIBE CPA distinguisher $\mathcal{A}$. The nature of the ciphertext (SF or random) is decided by T given from the Assumption LW.3, which indicates that two games are indistinguishable from the adversary’s view. This concludes the proof, since the adversary can have no advantage in the final game.

We now give formal proofs for each hybrid game stated above.

(1)

${\mathbf{Game}}_{\mathbf{real}}={\mathbf{Game}}_{\mathbf{gen}}.$

The delegated key from the key delegation algorithm has an identical distribution as the freshly generated key from the key generation algorithm. Therefore, it is straightforward that it is exactly the same whether to provide the key with delegating the previous key or to provide the key from a fresh call to the key generation algorithm.

(2)

${\mathbf{Game}}_{\mathbf{gen}}\approx {\mathbf{Game}}_{\mathbf{pre}}.$

We define that pattern $P=(P_1,\cdots ,P_k)$ is a prefix of pattern $P^{*}=(P_1^{*},\cdots ,P_j^{*})$ modulo $p_2$, if there exists $P_i$ and $P_i^{*}$ such that $P_i\ne P_i^{*}$ mod N and $P_i=P_i^{*}$ mod $p_2$. In this case, $p_2$ divides $P_i-P_i^{*}$, and therefore $a=gcd(P_i-P_i^{*},N)$ is a nontrivial factor of N. Since $p_2$ divides a, let us set $b=N/a$. There are two cases: (1) b is in $ord(g_1)$, or (2) b is not in $ord(g_1)$ but in $ord(g_3)$. Suppose that case 1 has probability of at least $ϵ/2$. We describe algorithm $\mathcal{B}$ that breaks Assumption LW.2. $\mathcal{B}$ receives $(\mathcal{G},g_1,g_3,X_1{X}_2,Y_2{X}_3)$ and T and constructs $pp$ and $msk$ by choosing $\alpha ,\delta \stackrel{\$}{\leftarrow }{\mathbb{Z}}_N$ and ${{\eta }_i\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N}_{i\in \left[L\right]}$, and setting $pp\leftarrow (N,g_1,\gamma =g_1^{\alpha },k_1=g_1^{\delta },g_3,{\{h_i=g_1^{{\eta }_i}\}}_{i\in \left[L\right]})$ and $msk\leftarrow k_1^{\alpha }$. Then $\mathcal{B}$ runs $\mathcal{A}$ on input $pp$ and uses knowledge of $msk$ to answer $\mathcal{A}$’s queries. At the end of the game, $\mathcal{B}$ computes $a=gcd(P_i-P_i^{*},N)$, for all Ps which are patterns for the key queries that $\mathcal{A}$ has asked, and for $P^{*}$ which is the challenge pattern. If $e({(X_1{X}_2)}^a,Y_2{X}_3)$ is the identity element of ${\mathbb{G}}_T$, $\mathcal{B}$ tests if $e(T^b,X_1{x}_2)$ is also the identity element of ${\mathbb{G}}_T$. When the second test is successful, $\mathcal{B}$ declares $T\in {\mathbb{G}}_{p_1{p}_3}$. Otherwise, $\mathcal{B}$ declares $T\in {\mathbb{G}}_{p_1{p}_2{p}_3}$. It is from the simple fact that $p_2$ divides a and $p_1=ord(g_1)$ divides b. For case 2, $\mathcal{B}$ can break Assumption LW.2 in the same way by exchanging the roles of ${\mathbb{G}}_{p_1}$ and ${\mathbb{G}}_{p_3}$, i.e., $p_1$ and $p_3$.

(3)

${\mathbf{Game}}_{\mathbf{pre}}\approx {\mathbf{Game}}_{\mathbf{0}}.$

We construct algorithm $\mathcal{B}$ that breaks Assumption LW.1 with the help of SWIBE CPA distinguisher $\mathcal{A}$. $\mathcal{B}$ first receives $(\mathcal{G},g_1,g_3)$ and T from LW.1. Then $\mathcal{B}$ starts the IND-ID-CPA game with $\mathcal{A}$ and simulates $Gam{e}_{pre}$ or $Gam{e}_0$ depending on the nature of T.

Setup:$\mathcal{B}$ chooses $\alpha ,\delta \stackrel{\$}{\leftarrow }{\mathbb{Z}}_N$, ${({\eta }_i\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N)}_{i\in \left[L\right]}$, then set $pp\leftarrow (g_1,\gamma =g_1^{\alpha },k_1=g_1^{\delta },g_3,{\{h_i=g_1^{{\eta }_i}\}}_{i\in \left[L\right]})$ and $msk\leftarrow k_1^{\alpha }$.

Key derivation queries:$\mathcal{B}$ can answer all key generation queries from $\mathcal{A}$ since $\mathcal{B}$ knows $msk$.

Challenge:$\mathcal{A}$ sends $\mathcal{B}$ challenge message $m_0,m_1\in {\{0,1\}}^{*}$ and a challenge pattern $P=(P_1,\cdots ,P_l)$ where $0\le l\le L$. $\mathcal{B}$ flips a coin $\zeta \leftarrow \{0,1\}$ and computes the challenge ciphertext C as follows:

$$\begin{array}{cccc}\hfill C_1& =T,\hfill & \hfill C_2& =\prod _{i\in \overline{W}(P)}{T}^{{\eta }_i·P_i}\hfill \\ \hfill C_3& =m·e(\gamma ,T^{\delta }),\hfill & \hfill C_4& =\prod _{i\in W(P)}{T}^{{\eta }_i}\hfill \end{array}$$

Notice that if $T\in {\mathbb{G}}_{p_1}$, then T can be written as $g_1^s$ and C is a normal ciphertext with randomness s. Instead, if $T\in {\mathbb{G}}_{p_1{p}_2}$, then T can be written as $g_1^s{g}_2^x$ and C is SF with randomness $s,x,z{c}_2={\eta }_i·P_i,z{c}_4={\eta }_i$.

(4)

${\mathbf{Game}}_{\mathbf{k}-\mathbf{1}}\approx {\mathbf{Game}}_{\mathbf{k}}.$

We construct algorithm $\mathcal{B}$ that breaks Assumption LW.2 with the help of SWIBE CPA distinguisher $\mathcal{A}$. $\mathcal{B}$ first receives $(\mathcal{G},g_1,g_3,X_1{X}_2,Y_2{X}_3)$ and T from LW.2. Then $\mathcal{B}$ starts the IND-ID-CPA game with $\mathcal{A}$ and simulates $Gam{e}_{k-1}$ or $Gam{e}_k$ depending on the nature of T.

Setup:$\mathcal{B}$ chooses $\alpha ,\delta \stackrel{\$}{\leftarrow }{\mathbb{Z}}_N$, ${({\eta }_i\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N)}_{i\in \left[L\right]}$, then set $pp\leftarrow (g_1,\gamma =g_1^{\alpha },k_1=g_1^{\delta },g_3,{\{h_i=g_1^{{\eta }_i}\}}_{i\in \left[L\right]})$ and $msk\leftarrow k_1^{\alpha }$.

Key derivation queries: There are three cases for the i-th key query with pattern P.

(i)

case 1: $i<k$. Choose SF randoms $z{k}_1,z{k}_2,z{k}_3\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N$, and ${(z{k}_{b,i},z{k}_{c,i}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N)}_{i\in W(P)}$, and ${(z{k}_{d,i}\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N)}_{i\in \overline{W}(P)}$. Then choose random $r,t\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N$, $W_1,W_2,W_3\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_3}$, ${\{W_{a,i},W_{d,i}\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_3}\}}_{i\in \overline{W}(P)}$, and ${\{W_{b,i},W_{c,i}\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_3}\}}_{i\in W(P)}$. Then we set the $s{k}_P$ as follows:

$$\begin{array}{cc}\hfill a_1& =msk·\prod _{i\in \overline{W}(P^{\prime })}{(h_i^{P_i}·W_{a,i})}^r·{(Y_2{X}_3)}^{z{k}_1}·W_1\hfill \\ \hfill a_2& =g_1^r·{(Y_2{X}_3)}^{z{k}_2}·W_2\hfill \\ \hfill a_3& =g_1^t·{(Y_2{X}_3)}^{z{k}_3}·W_3\hfill \\ \hfill b& ={\{b_i=h_i^r·{(Y_2{X}_3)}^{z{k}_{b,i}}·W_{b,i}\}}_{i\in W(P)}\hfill \\ \hfill c& ={\{c_i=h_i^t·{(Y_2{X}_3)}^{z{k}_{c,i}}·W_{c,i}\}}_{i\in W(P)}\hfill \\ \hfill d& ={\{d_i=h_i^t/h_i^{P_i^{\prime }r}·{(Y_2{X}_3)}^{z{k}_{d,i}}·W_{d,i}\}}_{i\in \overline{W}(P)}\hfill \end{array}$$

By writing $Y_2$ as $g_2^y$, we have that this is a properly distributed SF key with randomness y, $z{k}_{1\sim 3}$, $z{k}_{b\sim d}$.

(ii)

case 2: $i>k$. $\mathcal{B}$ runs key generation algorithm using $msk$.

(iii)

case 3: $i=k$. To answer the k-th key query, $\mathcal{B}$ chooses $r^{\prime },t^{\prime }\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N$, $W_1,W_2,W_3\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_3}$, ${\{W_{a,i},W_{d,i}\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_3}\}}_{i\in \overline{W}(P)}$, and ${\{W_{b,i},W_{c,i}\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_3}\}}_{i\in W(P)}$. Then the $s{k}_P$ is constructed as follows:

$$\begin{array}{cc}\hfill a_1& =msk·\prod _{i\in \overline{W}(P^{\prime })}{(T^{{\eta }_i·P_i}·W_{a,i})}^{r^{\prime }}·W_1\hfill \\ \hfill a_2& =T^{r^{\prime }}·W_2\hfill \\ \hfill a_3& =T^{t^{\prime }}·W_3\hfill \\ \hfill b& ={\{b_i=T^{{\eta }_i·r^{\prime }}·W_{b,i}\}}_{i\in W(P)}\hfill \\ \hfill c& ={\{c_i=T^{{\eta }_i·t^{\prime }}·W_{c,i}\}}_{i\in W(P)}\hfill \\ \hfill d& ={\{d_i=T^{{\eta }_i(t^{\prime }-P_i{r}^{\prime })}·W_{d,i}\}}_{i\in \overline{W}(P)}\hfill \end{array}$$

Notice that, if $T\in {\mathbb{G}}_{p_1{p}_3}$, T can be written as $g_1^r{g}_3^w$ and the k-th secret key is a normal key with randomness $r{r}^{\prime },r{t}^{\prime }$. Otherwise, if $T\in {\mathbb{G}}_{p_1{p}_2{p}_3}$, T can be written as $g_1^r{g}_2^y{g}_3^w$ and the k-th secret key is SF with randomness $r{r}^{\prime },r{t}^{\prime },y,z{k}_1={\sum }_{i\in \overline{W}(P)}{\eta }_i{P}_i,z{k}_2=r^{\prime },z{k}_3=t^{\prime },z{k}_{b,i}={\eta }_i{r}^{\prime },z{k}_{c,i}={\eta }_i{t}^{\prime },z{k}_{d,i}={\eta }_i(t^{\prime }-P_i{r}^{\prime })$.

Challenge:$\mathcal{A}$ sends $\mathcal{B}$ challenge message $m_0,m_1\in {\{0,1\}}^{*}$ and a challenge pattern $P=(P_1,\cdots ,P_l)$ where $0\le l\le L$. $\mathcal{B}$ flips a coin $\zeta \leftarrow \{0,1\}$ and computes the challenge ciphertext C as follows:

$$\begin{array}{cccc}\hfill C_1& =X_1{X}_2,\hfill & \hfill C_2& =\prod _{i\in \overline{W}(P)}{(X_1{X}_2)}^{{\eta }_i·P_i}\hfill \\ \hfill C_3& =m·e(\gamma ,{(X_1{X}_2)}^{\delta }),\hfill & \hfill C_4& =\prod _{i\in W(P)}{(X_1{X}_2)}^{{\eta }_i}\hfill \end{array}$$

Notice that T can be written as $g_1^s$, and therefore this is a proper SF ciphertext with randomness $s,x,z{c}_2={\sum }_{i\in \overline{W}(P)}x{\eta }_i{P}_i,z{c}_4={\sum }_{i\in \overline{W}(P)}x{\eta }_i$.

Since the k-th secret key pattern is not a prefix of the challenge pattern modulo $p_2$, we have that $zk$ set and $zc$ set are independent and randomly distributed. If $\mathcal{B}$ checks that the k-th key is SF by using the above procedure (to create an SF ciphertext for k-th secret key pattern), then $z{k}_2·z{c}_2+z{k}_3·z{c}_4=z{k}_1$, which is nominally SF, and thus decryption always works (independently of T).

(5)

${\mathbf{Game}}_{\mathbf{q}}\approx {\mathbf{Game}}_{\mathbf{rand}}.$

We construct algorithm $\mathcal{B}$ that breaks Assumption LW.3 with the help of SWIBE CPA distinguisher $\mathcal{A}$. $\mathcal{B}$ first receives $(\mathcal{G},g_1,g_2,g_3,g_1^{\alpha }{X}_2,g_1^{\delta },g_1^s{Y}_2)$ and T from LW.3. Then $\mathcal{B}$ starts the IND-ID-CPA game with $\mathcal{A}$ and simulates $Gam{e}_q$ or $Gam{e}_{rand}$ depending on the nature of T.

Setup:$\mathcal{B}$ chooses ${({\eta }_i\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N)}_{i\in \left[L\right]}$, then set $pp\leftarrow (g_1,\gamma =g_1^{\alpha }{X}_2,k_1=g_1^{\delta },g_3,{\{h_i=g_1^{{\eta }_i}\}}_{i\in \left[L\right]})$.

Key derivation queries: For pattern $P=(P_1,\cdots ,P_l)$ where $0\le l\le L$, $\mathcal{B}$ chooses $z{k}_1^{\prime },z{k}_2^{\prime },z{k}_3^{\prime }\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N$, and ${(z{k}_{b,i}^{\prime },z{k}_{c,i}^{\prime }\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N)}_{i\in W(P)}$, and ${(z{k}_{d,i}^{\prime }\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N)}_{i\in \overline{W}(P)}$. Next it chooses $r,t\stackrel{\$}{\leftarrow }{\mathbb{Z}}_N$, $W_1,W_2,W_3\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_3}$, ${\{W_{a,i},W_{d,i}\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_3}\}}_{i\in \overline{W}(P)}$, and ${\{W_{b,i},W_{c,i}\stackrel{\$}{\leftarrow }{\mathbb{G}}_{p_3}\}}_{i\in W(P)}$. Then it creates a SF secret key by setting:

$$\begin{array}{cc}\hfill a_1& =(g_1^{\alpha }{X}_2)·\prod _{i\in \overline{W}(P)}{(h_i^{P_i}·W_{a,i})}^r·g_2^{z{k}_1^{\prime }}·W_1\hfill \\ \hfill a_2& =g_1^r·g_2^{z{k}_2^{\prime }}·W_2\hfill \\ \hfill a_3& =g_1^t·g_2^{z{k}_3^{\prime }}·W_3\hfill \\ \hfill b& ={\{b_i=h_i^r·g_2^{z{k}_{b,i}^{\prime }}·W_{b,i}\}}_{i\in W(P)}\hfill \\ \hfill c& ={\{c_i=h_i^t·g_2^{z{k}_{c,i}^{\prime }}·W_{c,i}\}}_{i\in W(P)}\hfill \\ \hfill d& ={\{d_i=h_i^t/h_i^{P_i^{\prime }r}·g_2^{z{k}_{d,i}^{\prime }}·W_{d,i}\}}_{i\in \overline{W}(P)}\hfill \end{array}$$

Challenge:$\mathcal{A}$ sends $\mathcal{B}$ challenge message $m_0,m_1\in {\{0,1\}}^{*}$ and a challenge pattern $P=(P_1,\cdots ,P_l)$ where $0\le l\le L$. $\mathcal{B}$ flips a coin $\zeta \leftarrow \{0,1\}$ and computes the challenge ciphertext C as follows:

$$\begin{array}{cccc}\hfill C_1& =g_1^s{Y}_2,\hfill & \hfill C_2& =\prod _{i\in \overline{W}(P)}{(g_1^s{Y}_2)}^{{\eta }_i·P_i}\hfill \\ \hfill C_3& =m·T,\hfill & \hfill C_4& =\prod _{i\in W(P)}{(g_1^s{Y}_2)}^{{\eta }_i}\hfill \end{array}$$

This sets $z{c}_2={\sum }_{i\in \overline{W}(P)}{\eta }_i{P}_i,z{c}_4={\sum }_{i\in W(P)}{\eta }_i$. We note that $g_1^{{\eta }_i}$ are elements of ${\mathbb{G}}_{p_1}$, so when ${\eta }_i$ are randomly chosen from ${\mathbb{Z}}_N$, their value mod $p_1$ and mod $p_2$ are random and independent. We observe that, if $T=e{(g_1,g_1^{\delta })}^{\alpha s}$, then the challenge ciphertext is a properly distributed SF with message $m_{\zeta }$. Otherwise, if $T\stackrel{\$}{\leftarrow }{\mathbb{G}}_T$, then the ciphertext is an SF with a random message.

Since the adversary has no advantage in $Gam{e}_{rand}$ (where $\zeta$ is information-theoretically hidden), and by hybrid game $Gam{e}_{rand}$ is indistinguishable from $Gam{e}_{Real}$, we conclude that the adversary in $Gam{e}_{Real}$ has a negligible advantage.  □

7. Experiment

In this section, we show the experimental results by implementing SWIBE on an Intel Edison IoT machine with 32-bit 500 Mhz Atom processor and ublinux 3.10.17. We also implemented WIBE [11], WKD-IBE [13], WW-IBE [14], and constant CP-ABE (CCP-ABE) [3] on the same environment, and provide a comparison on encryption and decryption times.

Figure 1 shows the encryption and decryption times of SWIBE, WIBE, and CCP-ABE when increasing the maximal pattern depth (L) from 5 to 20. Note that SWIBE has more advanced functionality since SWIBE can support wildcards in both encryption and key generation, while WIBE and CCP-ABE allow for wildcards only in encryption. In CCP-ABE, each ID bit is considered as an attribute, and we assumed each pattern as 32-bit. The decryption time in CCP-ABE is slower, since the decryption process of the CCP-ABE involves multiple pairing operations proportional to the number of attributes. In the WIBE, when the user receives the ciphertext, the user needs to delegate the ciphertext to match his own specific ID pattern, which costs point multiplications. However, in SWIBE, the user can simply adjust the secret key of his pattern to the ciphertext pattern, which costs only negligible point additions. Therefore, the decryption time in SWIBE remains as constant; SWIBE improves the decryption time by up to 3 times compared with the WIBE, and 650 times compared with the CCP-ABE.

Figure 2 shows the encryption times and decryption times of SWIBE and WKD-IBE, when varying the maximal pattern depth (L) from 5 to 20. Note that the WKD-IBE allows the wildcard only in the key derivation, while SWIBE can include wildcards in both encryption and key derivation. Despite the better functionality, the encryption time and decryption time of SWIBE is almost identical to the results in WKD-IBE.

Figure 3 shows the encryption times and decryption times of SWIBE and WW-IBE, when varying the maximal pattern depth (L) from 5 to 20. Both encryption time and decryption time in SWIBE is faster than that of the WW-IBE, since WW-IBE involves heavy composite order pairing groups for encryption and requires $2L$ pairing operations in decryption; SWIBE improves the decryption time by 10 times compared with the WW-IBE.

8. Conclusions

In this paper, we propose a scalable wildcarded identity-based encryption (SWIBE), which is a new wildcarded identity-based encryption (WIBE) which first achieves the constant-size ciphertext. SWIBE supports the wildcard to be included both in encryption and key derivation, where one can encrypt messages to a group of users by using wildcards in the pattern, and one can delegate the secret key from the wildcard pattern to another identity string. We propose a standard IND-sID-CPA-secure SWIBE, and extend it to the IND-sID-CCA-secure SWIBE, both with formal security proofs. Then we also propose the fully-secure version of SWIBE, which overcomes the selective security. Our experimental results show that SWIBE improves the decryption time by 3, 10, and 650 times compared with the WIBE, WW-IBE, and CCP-ABE.