Scalable Wildcarded Identity-Based Encryption with Full Security

: Wildcarded identity-based encryption (WIBE) is an encryption system where one can encrypt messages to multiple users by specifying a pattern, which is a set of identity strings or wildcards. It is a useful primitive for practical applications where users are deﬁned with multiple attributes (or afﬁliations), such as organization networks or IoT ﬁrmware updates. However, the ciphertext size in traditional WIBE schemes are linear to the number of wildcards in the pattern; since the ciphertext size determines the payload in network systems, it degrades the practicality when deployed in transmission-sensitive systems. In this paper, we represent scalable wildcarded identity-based encryption (SWIBE), which achieves a constant-size ciphertext regardless of the number of wildcards (or depth of patterns). the SWIBE scheme also allows the wildcard usage key derivation as well as encryption: a user with wildcarded pattern can delegate keys for the ﬁxed pattern. Compared to the existing WIBE schemes, the SWIBE scheme is the ﬁrst approach to yield constant-size ciphertext. Moreover, SWIBE also improves encryption time and decryption time while maintaining a key size of 2 L , comparable to the key size of L in WIBE schemes (where L is a depth of the pattern). The experimental results show that the decryption time is 3 to 10 times faster than the existing WIBE schemes, and 650 times faster than the attribute-based encryption with constant-size ciphertext. For the security, we ﬁrst propose the selective-CPA-secure SWIBE scheme in a prime order bilinear group and extend it to be selective-CCA-secure. Then we also propose a fully-secure SWIBE scheme which can overcome the selective security.


Introduction
In modern IoT infrastructure, it is often essential to encrypt data to multiple devices at once on a group-basis, which let the data security require more advanced functionality of multi-encryption. Specifically, IoT devices are often defined and categorized by their own features, such as device types, manufacturers, affiliations, or locations; users (or devices) often need to send secure messages to a group of devices by specifying particular features. Some well-known examples are described as follows.

•
In smart city networks, an occupant may need to encrypt command reservations to home devices (e.g., turn-off devices of type: "lamp" and location: "living room").

•
In secure firmware updates, the firmware is encrypted to a group of devices which satisfies specific conditions (e.g., update devices of manufacturer: "Tesla").

•
In military communications, tactical data are encrypted to classified groups based on specific authorities (e.g., send strategy to devices of affiliation: "Air Force").
is that the WIBE construction let the decryptor transform the ciphertext to his own matching pattern.
In brief, the ciphertext should include additional parameters for the wildcarded pattern so that the wildcard can be transformed to the matching key element, based on the key delegation technique from BBG-HIBE [7].
As an alternative approach, the authors of WIBE [11] describes a generic construction of WIBE from HIBE, which can maintain the constant-size ciphertext of the HIBE ingredient. However, this technique results in an excessive secret key size, exponential to the depth of pattern. The main idea in this generic construction is to let the user store secret keys for every possible cases for decryption, instead of transforming the ciphertext. For example, to decrypt the ciphertext encrypted for pattern (ID 1 , ID 2 ), a user stores keys for every possible matching patterns: (ID 1 , ID 2 ), ( * , ID 2 ), (ID 1 , * ), ( * , * ). This leads to the secret key size exploded up to 2 L which is not reasonable to be used, e.g., in small IoT devices.
Solution. The main barrier of ciphertext size in WIBE is that the decryptor needs to delegate the ciphertext to his own matching pattern. For instance, if a decryptor with an identity (ID 1 , ID 2 ) decrypts a ciphertext for (ID 1 , * ), he transforms the * to ID 2 by the help of additional parameters in order to match his own pattern (ID 1 , ID 2 ). This lets the ciphertext include extra parameters related to each wildcard, which cannot be compressed to a constant value.
The problem can be resolved by reversing the transformation method: instead of delegating the wildcard to the matching pattern, the decryptor may prune his own pattern to match the wildcard. Specifically, the wildcard is considered as a distinct pattern, and additional pruning keys corresponding to the user's patterns can be provided so that any pattern can be transformed to the wildcard pattern. For example, if a decryptor with an identity (ID 1 , ID 2 ) decrypts a ciphertext for (ID 1 , * ), he transforms his ID 2 to * by using his own pruning key, in order to match the ciphertext pattern (ID 1 , * ). Note that the pruning key is only required for the depth of pattern L, which just doubles the secret key. As a result, the ciphertext does not require any additional parameters for delegation and the size can remain constant.
Scalable WIBE. Based on the idea, Kim et al. [15] proposed scalable wildcarded identity-based encryption (SWIBE), which achieves a constant-size ciphertext while maintaining the order of other parameters. SWIBE can efficiently cover the multi-encryption requirements in the IoT examples: with a single encryption and a constant ciphertext, one can encrypt to any group of multiple users by specifying the attributes of receivers. SWIBE scheme also allows wildcarded patterns both in encryption and key derivation as in WW-IBE [14], i.e., one can encrypt a message to multiple users by using wildcarded patterns, or delegate keys to other users if the identity includes wildcards. Compared to the WW-IBE, SWIBE also improves decryption time, since a user in WW-IBE requires a delegation of the given ciphertext to his own pattern while SWIBE allows a user to decrypt the ciphertext immediately. The practicality of SWIBE is justified by implementing the protocol on a real IoT device, and comparing experimental results with the existing works. Table 1 shows an overall comparison between hierarchical IBE (HIBE) [7], wildcarded IBE (WIBE) [11], wildcarded key derivation IBE (WKD-IBE) [13], WW-IBE [14], ciphertext policy ABE (CP-ABE) [3], and our proposed scalable WIBE (SWIBE) scheme. The comparison focuses on the size of public parameter (pp), secret key (SK), ciphertext (CT) and execution time of encryption (Enc), decryption (Dec), while the identity (pattern) depth is fixed as L and each identity is a q-bit string.
For the wildcard use, HIBE does not support wildcard, WIBE and CP-ABE supports wildcard only in encryption, WKD-IBE supports wildcard only in key derivation, while WW-IBE and SWIBE allow wildcard both in encryption and key derivation. For the ciphertext policy in CP-ABE, we assumed each bit in the ID as an attribute. Among the WIBE schemes which allow wildcards in encryption (WIBE, WW-IBE, SWIBE), only SWIBE has a constant-size ciphertext of 4 group elements regardless of the depth L. While supporting wildcarded pattern both in key derivation and encryption, SWIBE improves the decryption time compared to the WW-IBE.
Selective security. Despite the novel advantages, one remaining challenge is that the security of SWIBE relies on the selective security. In the selective security, the security model assumes that the target devices (i.e., devices which adversary desires to attack) are fixed before the security game. However, in real-life situation, we often cannot predict which devices are vulnerable, and which devices the attackers are planning to exploit. Therefore, for more robust security, it is recommended to advance the scheme to achieve full-security, i.e., IND-CPA secure without selective security.
Fully-secure SWIBE. In this paper, we extend selectively-secure SWIBE [15] to a fully-secure version, by modifying the SWIBE construction based on the composite order group. The composite order group sets the size of the cyclic group N as a composite number instead of a prime, to create different subgroups and let them cancel each other when computed in the pairing operation. This technique can disguise public elements while maintaining the correctness of the protocol, which can achieve the full security instead of the selective security. Based on the idea, we propose a new version of SWIBE protocol which satisfies full security, and formally prove the security under the standard assumptions. We now summarize the main contributions of SWIBE, and SWIBE with full security.
-Scalable wildcarded identity-based encryption (SWIBE) achieves constant-size ciphertext among the WIBE systems, without sacrificing the order of other parameters. -SWIBE is formally proved to satisfy IND-sID-CPA security, and it is extended to satisfy IND-sID-CCA security. -We provide practical experimental results based on a small IoT device with 500 MHz Atom processor. -This paper additionally proposes a fully secure (IND-ID-CPA-secure) SWIBE construction to overcome the selective security, and we formally prove the IND-ID-CPA security.
The rest of this paper is organized as follows. Section 2 introduces the basic definitions and complexity assumptions. In Section 3, we formally define the wildcard identity-based encryption as a universal primitive. Section 4 explains the main idea of the SWIBE scheme and how to construct it in details, along with the security proof. Section 5 extends it to be CCA secure, and Section 6 proposes a new version of SWIBE in composite order to obtain full security instead of selective security. In Section 7, we show the experimental results and in Section 8, we conclude.

Identity-Based Encryption
Identity-based encryption (IBE) [16] is defined as a tuple of algorithm IBE = (Setup, KeyDer, Enc, Dec) which provides the following functionality. The authority runs Setup to generate a public parameter pp and a master secret key msk. It publishes pp and keeps msk in private. When a user with an identity ID needs to join the system, the authority creates a decryption key d ID $ ← KeyDer(msk, ID), and sends the key to the user via secure channel. To encrypt a message m to the user with an identity ID, the sender computes a ciphertext C $ ← Enc(pp, ID, m), which is decrypted by the user as m ← Dec(d ID , C).

Hierarchical IBE
In hierarchical IBE (HIBE) [7], users are organized in an L-level binary tree, where the root is considered as a master authority. The user's identity at level 0 ≤ l ≤ L is given by a vector ID = (P 1 , . . . , P l ) ∈ ({0, 1} q ) l . HIBE is defined as a tuple of algorithms HIBE = (Setup, KeyDer, Enc, Dec) providing same functionalities as in IBE, except that a user ID = (P 1 , . . . , P l ) at level l can use his own secret key sk ID to generate a secret key for its children ID = (P 1 , . . . , P l , . . . , P L ) via sk ID $ ← KeyDer(sk ID , ID ). By applying the KeyDer algorithm interactively, user ID can derive secret keys for any of its descendants ID = (P 1 , . . . , P l+δ ), δ ≥ 0. We denote this process as sk ID $ ← KeyDer(sk ID , (P l+1 , . . . , P L+1 )). The secret key of the root at level 0 is sk = msk. Encryption and decryption are the same as IBE, but the identity is a vector of strings instead of ordinary strings.

Bilinear Groups and Pairings
In references [16,17], the bilinear maps and bilinear map groups are defined as follows: • G and G 1 are two multiplicative cyclic groups of prime order p. • g is a generator of G. • e : G × G → G 1 is a bilinear map.
Let G and G 1 be two groups as above. The bilinear map is defined as a map e : G × G → G 1 which satisfies the following properties:

•
The map is bilinear: for all u, v ∈ G and a, b ∈ Z, e(u a , v b ) = e(u, v) ab • The map is non-degenerate: e(g, g) = 1.
G is a bilinear group if the operation in G is efficient and there is a group G 1 with an efficiently computable bilinear map e : G × G → G 1 .

Computational Complexity Assumptions
The security of our scheme is based on bilinear Diffie-Hellman Exponent (BDHE) assumption used in [7], which is an extension of bilinear Diffie-Hellman Inversion (BDHI) assumption previously used in [18]. Let G be a bilinear group of prime order p. The L-BDHE problem in G is defined as follows: Given a vector of 2L + 1 elements above as input, output e(g, h) α L+1 ∈ G 1 . Once we specify g and α, we use y i to represent y i = g α i ∈ G. The adversary A has an advantage in solving L-BDHE in G if Pr[A(h, g, y 1 , . . . , y L , y L+2 , . . . , y 2L ) = e(y L+1 , h)] ≥ where the probability is over the random bits used by A, the random choice of generators g, h in G, and the random choice of α in Z p . The decisional version of the L-BDHE problem in G is defined analogously. Let y g,α,L = (y 1 , . . . , y L , y L+2 , . . . , y 2L ). An algorithm B that outputs b ∈ {0, 1} has advantage in solving decisional L-BDHE in G if |Pr[B(g, h, y g,α,L ,e(y L+1 , h)) = 0]− Pr[B(g, h, y g,α,L , T) = 0]| ≥ where the probability is over the random choice of generators g, h in G, α in Z p , and T ∈ G 1 , and the bits consumed by B. Definition 1. The (decisional) (t, , L)-BDHE assumption holds in G if no t-time algorithm has at least advantage to solve the (decisional) L-BDHE problem in G.
We may omit the t and , and refer to the (decisional) L-BDHE in G.

Model
SWIBE allows general key delegation and encryption to a group that is denoted by multiple identity strings and wildcards. To make the further description simple and clear, we define the following notations similarly to [11].

Definition 2.
A pattern P is a vector (P 1 , . . . , P L ) ∈ (Z * p ∪ { * }) L , where * is a special wildcard symbol, p is a q-bit prime number, and L is the maximal depth of the SWIBE scheme. We denote pattern P as in (Z * p ∪ { * }) L instead of ({0, 1} q ∪ { * }) L , since {0, 1} q can be easily mapped to Z * p with a hash function.
Notice that a set of patterns matching P is includes patterns belonging to P. For a pattern P = (P 1 , . . . , P L ), we define W(P) as a set of all wildcard indices in P, i.e., the indices 1 ≤ i ≤ L such that P i = * , and W(P) as a complementary set including all non-wildcard indices. Clearly, W(P) ∩ W(P) = ∅ and W(P) ∪ W(P) = {1, . . . , L}.  A scalable wildcarded identity-based encryption SWIBE consists of four algorithms: Setup(L) takes as input the maximal hierarchy depth L. It outputs a public parameter pp and master secret key msk. KeyDer(sk P , P new ) takes as input a user secret key sk P for a pattern P = (P 1 , . . . , P L ) and can derive a secret key for any pattern P new ∈ * P. The secret key of the root identity is msk = sk ( * ,..., * ) . Encrypt(pp, P, m) takes as input pattern P = (P 1 , . . . , P L ), message m ∈ {0, 1} * and public parameter pp. It outputs ciphertext C for pattern P. Decrypt(sk P , C, P ) takes as input user secret key sk P for pattern P = (P 1 , . . . , P L ) and ciphertext C for pattern P . Any user with the secret key for a pattern P which matches P can decrypt the ciphertext using sk P , and the algorithm outputs message m.

SECURITY.
We define the security of SWIBE scheme similar to the original WIBE [11], except we also consider the key delegation property. We allow an adversary to select an arbitrary pattern and query secret keys for the corresponding pattern. The adversary is disallowed to ask a key derivation query for any pattern matching the challenge pattern. The security of SWIBE is defined by an adversary A and a challenger C via the following game. Both C and A are given the hierarchy depth L and the identity bit-length q as inputs.
Setup: Challenger C runs Setup(L) to obtain public parameter pp and master secret key msk. C gives A public parameter pp.
Key derivation queries:1: Adversary A issues key derivation queries q K 1 , . . . , q K m in which a key derivation query consists of a pattern P ∈ (Z * p ∪ { * }) L , and challenger C responds with sk P $ ← KeyDer(sk P , P ). Query phase1: Adversary A issues decryption queries q D 1 , . . . , q D n in which a decryption query consists of a pattern P ∈ (Z * p ∪ { * }) L and ciphertext C, next challenger C responds with a message M $ ← Decrypt(C, P ). Challenge: A outputs two equal-length challenge messages m * 0 , m * 1 ∈ Z * p and a challenge identity P * = (P * 1 , . . . , P * L * ) s.t. P * ≈ P for all queried P . C runs algorithm C * ← Encrypt(pp, P * , m * b ) for random bit b and gives C * to A. Key derivation queries:2: Attacker A continues to issue key derivation queries q K m+1 , . . . , q q K same as Key derivation queries:1 where query pattern P ≈ P * . C responds as in key derivation query 1. Query phase2: Attacker A continues to issue decryption queries q D n+1 , . . . , q q D same as Query phase1.
It should be satisfied that queried ciphertext C = C * . C responds as in query phase 1. Guess: A outputs its guess b ∈ {0, 1} for b and wins the game if b = b .

Definition 7.
A SWIBE is (t, q K , q D , , L) IND-ID-CCA-secure if all t-time adversaries making at most q K queries to the key derivation oracle and at most q D queries to the decryption oracle have at most advantage in the IND-ID-CCA game described above.
We also define IND-ID-CPA-secure similar as IND-ID-CCA game except forbidden all decryption queries.
all t-time adversaries making at most q K queries to the key derivation oracle have at most advantage in the IND-ID-CPA game described above.

SELECTIVE-IDENTITY SECURITY.
A weaker selective-identity (sID) security notion IND-sID-CPA is defined analogously to the IND-ID-CPA one: every procedure is the same except that the adversary must commit to the challenge identity at the beginning of the game, before the public parameter is made available.

The Proposed Scheme
In this section, we describe the proposed scalable wildcarded identity based encryption scheme (SWIBE). Before presenting the formal scheme, we first describe the BBG-HIBE construction [7], which is a main building block for WIBE systems including SWIBE, along with our main idea to achieve constant-size ciphertext in Section 4.1. Then we provide SWIBE construction in Section 4.2, and show the formal security proof in Section 4.3.
The public parameters and the master secret key are given by KeyDer(sk P |l−1 , P): To compute the secret key sk P for an identity P = (P 1 , . . . , P l ) ∈ (Z * p ) l where l ≤ L from the master secret key, a random r $ ← Z * p is chosen, then secret key sk P = (a 1 , a 2 , b l+1 , · · · , b L ) for P is constructed as The private key for P can be generated incrementally, given a private key for the parent identity P |l−1 = (P 1 , . . . , P l−1 ) ∈ (Z * p ) l−1 . Let sk P |l−1 = (a 1 , a 2 , b l , · · · , b L ) be the private key for P |l−1 . To generate sk P , pick a random t ∈ Z * p and output Encrypt(pp, P, M): To encrypt a message m ∈ G 1 to pattern P = (P 1 , . . . , P l ), choose s $ ← Z * p , and compute Consider an identity pattern P = (P 1 , · · · , P l ). To decrypt a given ciphertext The BBG-HIBE scheme [7] has the advantage of constant-sized ciphertexts. The ciphertext consists of only three elements: (g s , (g 3 · h P 1 1 · · · h P l l ) s , M(g, g 2 ) sα ). When observing the secret key, a 1 and a 2 are responsible for the decryption, while b i stands for further key delegations. The pattern P = (P 1 , · · · , P l ) is combined as a single element a 1 , and we can delegate a 1 to another extended pattern P = (P 1 , · · · , P l , P l+1 ) by additionally combining the b l+1 into the a 1 . Since the united element a 1 directly involves the pattern and the element can be canceled by multiplying its inverse, we observe that secret key for some pattern can be replaced to another secret key for a different pattern by multiplication. For instance, it is possible to compute g α 2 (g 3 h The wildcard pattern can work in a similar way: when we consider the wildcard * as a fixed identity, i.e., a mapped element w ∈ Z * p , we may change an identity to the wildcard by including c i = (h w i /h P i i ) r for every identity string P i in a secret key and replacing (h P i i ) r with (h w i ) r . However, this approach has a security problem; the extra c i allows the adversary to compute h r by combining c i , w, P i , which reveals the top level secret key g α 2 g r 3 by canceling With the top level secret key, the adversary can generate any secret keys as he desires, which is a significant problem.
We resolve this issue by randomizing the wildcard part, by using another random t ∈ Z p independent from r. Specifically, we revise the extra key c i as c i = h wt i /h P i r i , and also provide g t with g r , to let the decryption work correctly. For instance, the key g α The remaining issue is that the encryption requires some adjustments, to be compatible with the modification of random t. For example, to encrypt for the pattern ( * , P 2 , * ), the pattern is divided into wildcard part and non-wildcard part. The non-wildcard identity part (·, P 2 , ·) is encrypted as (g s , (g 3 · h P 2 2 ) s , M · e(g 1 , g 2 ) s ), same as the BBG-HIBE. Then the wildcard identity part ( * , ·, * ) is encrypted as (h w 1 h w 3 ) s , which can later be used in decryption to cancel out the wildcard part of user secret key. In summary, the ciphertext can remain as constant with an additional single group element to the original BBG-HIBE ciphertext which is three group elements, and the key size also remains efficient, linear to the number of patterns, within the same order compared with the BBG-HIBE.
The complete scheme is represented in the following Section 4.2 with assuming the value w = 1. Then we formally prove the security of the scheme in Section 4.3.

SWIBE Construction
We now describe the SWIBE scheme which achieves constant size ciphertext and O(L) size keys.

Setup(L):
Let L indicate the maximum depth of the pattern. The initial set of keys are generated as follows. Sample α ∈ Z * p , and O(L) group elements g, g 2 , g 3 , h 1 , h 2 , . . . , h L ∈ G randomly, and compute The public parameter is given by A master secret key is set as msk = g α 2 . KeyDer(pp, sk P , P ): To derive the secret key sk P for a pattern P = (P 1 , . . . , P L ) ∈ (Z * p ∪ { * }) L from the msk, two randoms r, t $ ← Z * p are chosen. Then, the secret key sk P = (a 1 , a 2 , a 3 , b , c , d ) for P is computed as In order to generate secret key sk P for a pattern P from secret key sk P = (a 1 , a 2 , a 3 , b, c) for a pattern P such that P ∈ * P, simply choose two randoms r , t $ ← Z * q and output sk P = (a 1 , a 2 , Encrypt(pp, P, m): To encrypt a message m ∈ G 1 to pattern P = (P 1 , . . . , Decrypt(sk P , C, P ): Consider patterns P and P ∈ (Z * p ∪ { * }) L , where P is a key pattern and P is a ciphertext pattern. To decrypt a given ciphertext C = (C 1 , C 2 , C 3 , C 4 ) with private key The correctness of the decryption is described as follows. We denote W P P = W(P ) ∩ W(P), W P P = W(P ) ∩ W(P), W P P = W(P ) ∩ W(P), and W P P = W(P ) ∩ W(P) to simplify notations.
Since W P P ∪W P P = W(P) and W P P ∩ W P P = ∅, ∏ i∈W(P) h P i i · ∏ i∈W P P h −P i i = ∏ i∈W P P h P i i . Similarly, since W P P ∪W P P = W(P ) and W P P ∩W P P = ∅, ∏ i∈W P P h t i · ∏ i∈W P P h t i = ∏ i∈W(P ) h t i . Therefore, Since P ≈ P , P i = P i for i ∈ W P P .
Since W P P ∪W P P = W(P ) and W P P ∩W P P = ∅, ∏ i∈W P P h e(a 2 , C 2 ) · e(a 3 , C 4 ) e(C 1 , a 1 )

Security Proof
In this section, we show the formal proof for IND-sID-CPA-security of SWIBE scheme in the standard model. Theorem 1. Let G be a bilinear group of prime order p. Suppose the decisional (t, , L)-BDHE assumption holds in G. Then our SWIBE is (t , q K , 0, , L) sID-CPA secure for arbitrary L, and t < t − O (Le + p), where e and p denote the execution times of scalar multiplication and pairing in G, respectively.
Proof. Suppose A has advantage in attacking the SWIBE scheme. Using A, we build an algorithm B that solves the (decisional) L-BDHE problem in G.
For a generator g ∈ G and α ∈ Z * p , let y i = g α i ∈ G. Algorithm B is given as input a random tuple (g, h, y 1 , . . . , y L , y L+2 , . . . , y 2L , T) that is either chosen from P BDHE where T = e(g, h) (α L+1 ) or from R BDHE where T is uniformly distributed in G 1 . The goal of algorithm B is to output 1 when the input is sampled from P BDHE and 0 otherwise. Algorithm B interacts with A in a selective subset game as follows: Init: The game begins with A first outputting an identity vector P * = (P * 1 , . . . , P * L ) ∈ * (Z * p ∪ { * }) L . Setup: To generate the public parameter, algorithm B picks a random γ in Z p and sets g 1 = y 1 = g α and g 2 = y L g γ = g γ+(α L ) . Next, B picks random γ i ∈ Z * p for i = 1, . . . , L, and sets h i = g γ i /y L−i+1 for i ∈ W(P * ) and h i = g γ i for i ∈ W(P * ). Algorithm B also picks a random δ in Z * p and sets Key derivation queries: Suppose that adversary B queries a key derivation query for pattern P = (P 1 , . . . , P L ) ∈ * (Z * p ∪ { * }) L . The definition of the security experiment says that P * ∈ * P. Therefore, there exists an index k ∈ W(P) such that P k = P * k . We define k to be the smallest one among all possible indices. B picks two randomr,t ∈ Z * p and (implicitly) sets r ← − α k P * k −P k +r and t ← r · P * k +t. Secret key sk P = (a 1 , a 2 , a 3 , b, c, d) for P is constructed as We have We split this term up into two factors A · Z, where A = (y P * k −P k L−k+1 ) r is the third product only. We can check that Z can be computed by A, i.e., the terms y i only appear with indices i ∈ {1, . . . , L}. Term A can be expressed as and for each i ∈ W(P), can be computed since k ∈ W(P).
And for each i ∈ W(P), Otherwise also A can compute it since i = k and y L+1 does not appear in the equation.
Challenge: For the challenge, B computes C 1 , C 2 , and C 4 as h, h δ+∑ i∈W(P * ) (γ i P * i ) , and h ∑ i∈W(P * ) γ i . Then, it selects a random bit b ∈ {0, 1} and sets C 3 = m b · T · e(y 1 , h) γ . It returns C = (C 1 , C 2 , C 3 , C 4 ) as a challenge to A. We claim that if T = e(g, h) (α L+1 ) (i.e., the input to B is an L-BDHE tuple) then (C 1 , C 2 , C 3 , C 4 ) is a valid challenge to A as in a real attack. To see this, write h = g c for some (unknown) c ∈ Z * p . Then Therefore, by definition, e(y L+1 , g) c = e(g, h) (α L+1 ) = T and hence C = (C 1 , C 2 , C 3 , C 4 ) is a valid challenge to A. On the other hand, when T is randomly chosen in G 1 (i.e., the input to B is a random tuple) then C 3 is just a random independent element in G 1 to A.
Guess: Finally, A outputs a guess b ∈ {0, 1}. Algorithm B terminates its own game by outputting a guess as follows. If b = b then B outputs 1 meaning T = e(g, h) (α L+1 ) . Otherwise, it outputs 0 denoting that T is random in G 1 .

Extension to CCA Security
In this section, we show the extension of CPA-secure SWIBE to satisfy CCA-security, by applying the similar technique from the extension in [19]. Given any one-time signature scheme (SigKeygen, Sign, Veri f y) with a verification key as a q-bit string, we construct an L-level SWIBE Π = (Setup, KeyDer, Encrypt, Decrypt) secure against chosen-ciphertext attacks using the (L + 1)-level Π = (Setup , KeyDer Encrypt , Decrypt ) semantically secure SWIBE. The idea is that P = (P 1 , · · · , P L ) ∈ {Z * p ∪ { * }} L in Π is mapped to P = (P 1 , · · · , P L , * ) ∈ {Z * p ∪ { * }} L+1 in Π . Thus, the secret key sk P for P in Π is the secret key sk P in Π . Recall that sk P can generate secret keys for all descendants of node P . When encrypting a message m to P C = (P C 1 , · · · , P C L ) in Π, the sender generates a q-bit verification key V sig ∈ Z * p and encrypts m to P C = (P C 1 , · · · , P C L , V sig ) using Π . The construction of L-level Π utilizing (L + 1)-level Π and a one-time signature scheme is as follows: Setup(L) runs Setup (L + 1) to obtain (pp , msk ). Given pp ← (g, g 1 , g 2 , g 3 , h 1 , · · · , h L+1 ) and msk , the public parameter is pp ← (g, g 1 , g 2 , g 3 , h 1 , · · · , h L ) and the master secret key is msk ← msk .
KeyDer(pp, sk P , P new ) is the same as the KeyDer algorithm.
1. Verify that σ is the valid signature of C under the key V sig . If invalid, output ⊥. 2. Otherwise, check P ≈ P C , generate sk P ← KeyDer (sk P , P ) for P = (P 1 , · · · , P L , V sig ), and run Decrypt (sk P , C, P C ) to extract the message.

Theorem 2.
Let G be a bilinear group of prime order p. The above SWIBE Π is (t, q K , q D , 1 + 2 , L) CCA-secure assuming the SWIBE Π is (t , q K , 0, 1 , L + 1) semantically secure in G and signature scheme is (t , 2 ) strongly existentially unforgeable with q K < q K , t < t − (Le + 3p)q D − t s , where e is exponential time, p is pairing time, and t s is sum of SigKeyGen, Sign and Veri f y computation time.
Setup: B gets the public parameter pp of Π and also gets secret keys sk P for P ≈ S * * from challenger C.
B responds with pp and secret keys sk P of the first type of P . (Recall that the secret key sk P = sk P where P = (P 1 , · · · , P L , * .) The secret keys sk P of the second type of P are utilized to respond to the decryption queries of A as described in the below.
Query phase1: Algorithm A issues decryption queries. Let (P, CT) be a decryption query where P ∈ * P * and P ≈ P C where P C is a pattern of ciphertext. Let CT = ( (C 1 , C 2 , C 3 , C 4 ), σ, V sig ). Algorithm B responds as following: 1. Execute Veri f y to verify the signature σ on (C 1 , C 2 , C 3 , C 4 ) using verification key V sig . If the signature is invalid, then B responds with ⊥. 2. If V sig = V * sig , a forge event occurs, algorithm B outputs a random bit b $ ← {0, 1} and aborts the simulation. 3. Otherwise, B decrypts the ciphertext CT using the second type of secret keys. Since V sig = V * sig , B can query the key generation query for P = (P 1 , · · · , P L , V sig ) which is second type pattern. Using sk P , B can decrypt m ← Decrypt ( sk P , (C 1 , C 2 , C 3 , C 4 ), P C ) where P C = (P 1 , · · · , P L , V sig ) since P = P C .
Challenge: A gives the challenge (m 0 , m 1 ) to B. B gives the challenge (m 0 , m 1 ) to C and gets the challenge (CT b ) from C. To generate challenge for A, algorithm B computes C * as follows: Query phase2: Same as in query phase1 except can not decrypt query for C*.
Guess: The A outputs a guess b ∈ {0, 1}. B outputs b. We see that algorithm B can simulate all queries to run A. B's success probability as follows: To conclude the proof of Theorem 2, the remaining process is to bound the probability that B aborts the simulation as a result of forge, which we claim as Pr[forge] < 2 . Otherwise, one can use A to forge signatures with a probability of at least 2 . In brief, we can construct another simulator which knows the private key, but receives K * sig as a challenge in an existential forgery game. In the experiment above, A aborts by submitting a query which includes an existential forgery under K * sig on some ciphertexts. Our simulator utilizes the forgery to win the existential forgery game. Note that a single chosen message query is asked by adversary A to generate a signature for the challenge ciphertext. Thus, Pr[forge] < 2 . It now follows that B's advantage is at least 1 as required.

Fully Secure Scheme
In this section, we present a new version of SWIBE based on composite order bilinear groups, to obtain full security (IND-ID-CPA) instead of selective security (IND-sID-CPA). In the original SWIBE scheme (Section 4), the security proof was limited to the selective security, since the scheme was bound to a single group. In this case, if the challenge pattern is not committed before the game, the reduction algorithm cannot simulate secret keys (without knowing the secret factor α) for key queries from the adversary. To resolve this issue, we now construct the scheme with parameters from multiple subgroups similar to [14], using the fact that it is difficult to determine from which group the element came from. When using the subgroup assumptions, for each pattern, the reduction can both simulate the secret key in one subgroup and embed the problem in another subgroup. Therefore, the full security can be achieved. We first introduce the definition and features of composite order bilinear groups. Then we show the decisional subgroup assumptions from Lewko and Waters (LW.1-LW.3), and present our composite order (fully-secure) SWIBE which also has a constant-size ciphertext. Finally, we prove the full security of our composite order SWIBE based on LW assumptions.

Composite Order Bilinear Groups
We describe the composite order bilinear groups as in [14]. We use groups where the order is a product of three primes and a generator G which takes security parameter λ as input and generates a description G = (N = p 1 p 2 p 3 , G, G T , e) where p 1 , p 2 , p 3 are distinct primes of Θ(λ) bits, G and G T are cyclic groups of order N. For a, b, c ∈ {1, p 1 , p 2 , p 3 }, we denote the subgroup of order abc as G abc . Considering the fact that the group is cyclic, it is easy to verify that if g and h are group elements of different order (belonging to different subgroups), then e(g, h) = 1.

Complexity Assumptions
We first restate the complexity assumptions we use, which were originally introduced by Lewko and Waters in [20] and used in [14]. and then pick g 1 , X 1 ← G p 1 p 2 p 3 and set D = (G, g 1 , g 3 , X 1 X 2 , Y 2 X 3 ). We define the advantage of an algorithm A in breaking Assumption 2 to be: Assumption LW.3: For a generator G of bilinear settings, first pick a bilinear setting G $ ← G(1 λ ) and ← G T and set T 1 = e(g 1 , g δ 1 ) αs and D = (G, g 1 , g 2 , g 3 , g α 1 X 2 , g δ 1 , g s 1 Y 2 ). We define the advantage of an algorithm A in breaking Assumption 3 to be:

Fully-Secure SWIBE Construction
We present the fully-secure SWIBE with constant size ciphertexts and O(L) size keys, which is based on the composite order bilinear group (N = p 1 p 2 p 3 ). Note that W from subgroup G p 3 is only a blinding factor, to be eliminated when computed in a pairing operation (due to the orthogonal property of composite order bilinear groups).
A master secret key is defined as msk = k α 1 . KeyDer(pp, sk P , P ): To compute secret key sk P according to pattern P = (P 1 , . . . , P L ) ∈ (Z * p ∪ { * }) L from the master secret key, first two randoms r, t $ ← Z N are chosen. Then random blinding factors are chosen. Secret key sk P = (a 1 , a 2 , a 3 , b , c , d ) for P is constructed as In order to generate secret key sk P for a pattern P from secret key sk P = (a 1 , a 2 , a 3 , b, c) for a pattern P such that P ∈ * P, simply choose two randoms r , t $ ← Z N , and blinding randoms W 1 , W 2 , W 3 $ ← G p 3 , {W a,i , W d,i } i∈W(P ) , and {W b,i , W c,i } i∈W(P ) and output sk P = (a 1 , a 2 , a 3 , b , c , d ), where Encrypt(pp, P, m): To encrypt a message m ∈ G to pattern P = (P 1 , . . . , P L ) under pp, choose s $ ← Z * p , and compute C = (C 1 , C 2 , C 3 , C 4 ) Decrypt(sk P , C, P ): The decryption is similar to the decryption in Section 4.2, since the elements in G p 1 will work in an equivalent way compared to the original SWIBE construction. Consider patterns P and P ∈ (Z * p ∪ { * }) L , where P is a key pattern and P is a ciphertext pattern. To decrypt a given ciphertext C = (C 1 , C 2 , C 3 , C 4 ) with private key sk P = (a 1 , a 2 , a 3 , b, c, d), compute a 1 = a 1 · ∏ i∈W(P )∩W(P) b P i i · ∏ i∈W(P )∩W(P) c i · ∏ i∈W(P )∩W(P) d i and output The fact that decryption works is similar to the decryption of original SWIBE construction in Section 4.2. Note that the blinding factors W from subgroup G p 3 make no difference, since they will be eliminated in the pairing operations due to the orthogonal property in Section 6.1.

Security Proof
In this section, we prove that our fully-secure SWIBE scheme in Section 6.3 is IND-ID-CPA-secure under the Lewko and Waters assumptions (LW.1-LW.3) in Section 6.2. The security proof is based on the hybrid games.
Before presenting hybrid games, we introduce two additional structures used in the proofs of security similar to [14,20]: Semi-Functional (SF) Ciphertext. Let g 2 denote a generator of G p 2 . An SF ciphertext is constructed as follows: we use the encryption algorithm to form a normal ciphertext C ← [C 1 , C 2 , C 3 , C 4 ]. We choose random exponents x $ ← Z N and zc 2 , zc 4 $ ← Z N . Then we set: .

Semi-Functional (SF) Keys.
To generate a SF key, a normal secret key (a 1 , a 2 , a 3 , b , c , d ) is first created, using the key derivation algorithm with pp, msk, and pattern P. Then randoms are chosen: y, zk 1 , zk 2 , zk 3 $ ← Z N , (zk b,i , zk c,i $ ← Z N ) i∈W(P) , and (zk d,i $ ← Z N ) i∈W(P) . Then the SF secret key is constructed as follows.
Note that SF ciphertexts can be decrypted by normal secret keys and SF secret keys can be used to decrypt normal ciphertext. But an SF ciphertext, for pattern P , cannot be decrypted by an SF secret key. The decryption algorithm will compute the blinding factor multiplied by the additional term e(g 2 , g 2 ) xy·(zk 2 ·zc 2 +zk 3 ·zc 4 −zk 1 ) . If zk 2 · zc 2 + zk 3 · zc 4 = zk 1 , decryption will still work. Such ciphertexts and secret keys are defined as nominally SF. Proof. We prove the security via sets of hybrid games, and by showing that two games are computationally indistinguishable in each step. For the sketch of our proof, we first define the series of games. Let us assume PPT adversary A with q key queries. Then we define q + 5 games between A and a challenger C as follows.

•
Game real : It is the real IND-ID-CPA (or IND-WWID-CPA [14]) security game. • Game gen : This game is same as Game real , except the fact that all key queries from the adversary is answered by fresh key generation algorithm. In the security proof, we use the term key generation for the key delegation from msk, which is equivalent. • Game pre : It is a same game as Game gen , except the fact that the adversary cannot query for keys if the pattern is a prefix of the challenge pattern mod p 2 . We say that the pattern P is a prefix of P * mod p 2 if there exists i s.t. P i = P * i mod N and P i = P * i mod p 2 . • Game 0 : It is a same game as Game pre , except the fact that the challenge ciphertext C 1 ∼ C 4 is given as a SF ciphertext. • Game 1∼q : For k from 1 to q, Game k is same as Game 0 except the fact that the first k keys are given as SF keys. The other keys are given as normal keys from the key generation algorithm. • Game rand : This game is same as Game q , but where C 3 of challenge ciphertext has a random element in G T . Since C 3 is distorted with a random element, the ciphertext is now independent from the message and the adversary can have no advantage.
With the games defined above, we now introduce the outline of our hybrid games as follows.
1. Game real = Game gen . Since the key generation algorithm has an identical distribution, it is exactly the same to call key delegation or fresh key generation from the adversary's view. 2. Game gen ≈ Game pre . We require that the adversary cannot obtain the key for prefix pattern of challenge ciphertext, to prevent the adversary to find the nominality in SF randoms. We prove the hybrid game by showing that prefix query itself can break the Assumption LW.2. 3. Game pre ≈ Game 0 . We construct algorithm B which breaks Assumption LW.1 with a help of SWIBE CPA distinguisher A. The nature of the challenge ciphertext (normal or SF) is decided by T given from the Assumption LW.1, which indicates that two games are indistinguishable from the adversary's view. 4. Game k−1 ≈ Game k . We construct algorithm B which breaks Assumption LW.2 with a help of SWIBE CPA distinguisher A. The nature of the k-th key (normal or SF) is decided by T given from the Assumption LW.2, which indicates that two games are indistinguishable from the adversary's view. 5. Game q ≈ Game rand . We construct algorithm B which breaks Assumption LW.3 with a help of SWIBE CPA distinguisher A. The nature of the ciphertext (SF or random) is decided by T given from the Assumption LW.3, which indicates that two games are indistinguishable from the adversary's view. This concludes the proof, since the adversary can have no advantage in the final game.
We now give formal proofs for each hybrid game stated above.
(1) Game real = Game gen . The delegated key from the key delegation algorithm has an identical distribution as the freshly generated key from the key generation algorithm. Therefore, it is straightforward that it is exactly the same whether to provide the key with delegating the previous key or to provide the key from a fresh call to the key generation algorithm.
(2) Game gen ≈ Game pre . We define that pattern P = (P 1 , · · · , P k ) is a prefix of pattern P * = (P * 1 , · · · , P * j ) modulo p 2 , if there exists P i and P * i such that P i = P * i mod N and P i = P * i mod p 2 . In this case, p 2 divides P i − P * i , and therefore a = gcd(P i − P * i , N) is a nontrivial factor of N. Since p 2 divides a, let us set b = N/a. There are two cases: (1) b is in ord(g 1 ), or (2) b is not in ord(g 1 ) but in ord(g 3 ).
Suppose that case 1 has probability of at least /2. We describe algorithm B that breaks Assumption LW.2. B receives (G, g 1 , g 3 , X 1 X 2 , Y 2 X 3 ) and T and constructs pp and msk by choosing α, δ $ ← Z N and [L] , and setting pp ← (N, ) and msk ← k α 1 . Then B runs A on input pp and uses knowledge of msk to answer A's queries. At the end of the game, B computes a = gcd(P i − P * i , N), for all Ps which are patterns for the key queries that A has asked, and for P * which is the challenge pattern. If e((X 1 X 2 ) a , Y 2 X 3 ) is the identity element of G T , B tests if e(T b , X 1 x 2 ) is also the identity element of G T . When the second test is successful, B declares T ∈ G p 1 p 3 . Otherwise, B declares T ∈ G p 1 p 2 p 3 . It is from the simple fact that p 2 divides a and p 1 = ord(g 1 ) divides b. For case 2, B can break Assumption LW.2 in the same way by exchanging the roles of G p 1 and G p 3 , i.e., p 1 and p 3 .
(3) Game pre ≈ Game 0 . We construct algorithm B that breaks Assumption LW.1 with the help of SWIBE CPA distinguisher A. B first receives (G, g 1 , g 3 ) and T from LW.1. Then B starts the IND-ID-CPA game with A and simulates Game pre or Game 0 depending on the nature of T.
) and msk ← k α 1 . Key derivation queries: B can answer all key generation queries from A since B knows msk.
Challenge: A sends B challenge message m 0 , m 1 ∈ {0, 1} * and a challenge pattern P = (P 1 , · · · , P l ) where 0 ≤ l ≤ L. B flips a coin ζ ← {0, 1} and computes the challenge ciphertext C as follows: Notice that if T ∈ G p 1 , then T can be written as g s 1 and C is a normal ciphertext with randomness s. Instead, if T ∈ G p 1 p 2 , then T can be written as g s 1 g x 2 and C is SF with randomness s, x, zc 2 = η i · P i , zc 4 = η i .
(4) Game k−1 ≈ Game k . We construct algorithm B that breaks Assumption LW.2 with the help of SWIBE CPA distinguisher A. B first receives (G, g 1 , g 3 , X 1 X 2 , Y 2 X 3 ) and T from LW.2. Then B starts the IND-ID-CPA game with A and simulates Game k−1 or Game k depending on the nature of T.
, then set pp ← (g 1 , γ = g α 1 , k 1 = g δ 1 , g 3 , {h i = g . Then we set the sk P as follows: By writing Y 2 as g y 2 , we have that this is a properly distributed SF key with randomness y, zk 1∼3 , zk b∼d . (ii) case 2: i > k. B runs key generation algorithm using msk.
(iii) case 3: i = k. To answer the k-th key query, B chooses r , t . Then the sk P is constructed as follows: Notice that, if T ∈ G p 1 p 3 , T can be written as g r 1 g w 3 and the k-th secret key is a normal key with randomness rr , rt . Otherwise, if T ∈ G p 1 p 2 p 3 , T can be written as g r 1 g y 2 g w 3 and the k-th secret key is SF with randomness rr , rt , y, zk 1 = ∑ i∈W(P) η i P i , zk 2 = r , zk 3 = t , zk b,i = η i r , zk c,i = η i t , zk d,i = η i (t − P i r ).
Challenge: A sends B challenge message m 0 , m 1 ∈ {0, 1} * and a challenge pattern P = (P 1 , · · · , P l ) where 0 ≤ l ≤ L. B flips a coin ζ ← {0, 1} and computes the challenge ciphertext C as follows: Notice that T can be written as g s 1 , and therefore this is a proper SF ciphertext with randomness s, x, zc 2 = ∑ i∈W(P) xη i P i , zc 4 = ∑ i∈W(P) xη i .
Since the k-th secret key pattern is not a prefix of the challenge pattern modulo p 2 , we have that zk set and zc set are independent and randomly distributed. If B checks that the k-th key is SF by using the above procedure (to create an SF ciphertext for k-th secret key pattern), then zk 2 · zc 2 + zk 3 · zc 4 = zk 1 , which is nominally SF, and thus decryption always works (independently of T).
(5) Game q ≈ Game rand . We construct algorithm B that breaks Assumption LW.3 with the help of SWIBE CPA distinguisher A. B first receives (G, g 1 , g 2 , g 3 , g α 1 X 2 , g δ 1 , g s 1 Y 2 ) and T from LW.3. Then B starts the IND-ID-CPA game with A and simulates Game q or Game rand depending on the nature of T.
Challenge: A sends B challenge message m 0 , m 1 ∈ {0, 1} * and a challenge pattern P = (P 1 , · · · , P l ) where 0 ≤ l ≤ L. B flips a coin ζ ← {0, 1} and computes the challenge ciphertext C as follows: This sets zc 2 = ∑ i∈W(P) η i P i , zc 4 = ∑ i∈W(P) η i . We note that g η i 1 are elements of G p 1 , so when η i are randomly chosen from Z N , their value mod p 1 and mod p 2 are random and independent. We observe that, if T = e(g 1 , g δ 1 ) αs , then the challenge ciphertext is a properly distributed SF with message m ζ . Otherwise, if T $ ← G T , then the ciphertext is an SF with a random message. Since the adversary has no advantage in Game rand (where ζ is information-theoretically hidden), and by hybrid game Game rand is indistinguishable from Game Real , we conclude that the adversary in Game Real has a negligible advantage.

Experiment
In this section, we show the experimental results by implementing SWIBE on an Intel Edison IoT machine with 32-bit 500 Mhz Atom processor and ublinux 3.10.17. We also implemented WIBE [11], WKD-IBE [13], WW-IBE [14], and constant CP-ABE (CCP-ABE) [3] on the same environment, and provide a comparison on encryption and decryption times. Figure 1 shows the encryption and decryption times of SWIBE, WIBE, and CCP-ABE when increasing the maximal pattern depth (L) from 5 to 20. Note that SWIBE has more advanced functionality since SWIBE can support wildcards in both encryption and key generation, while WIBE and CCP-ABE allow for wildcards only in encryption. In CCP-ABE, each ID bit is considered as an attribute, and we assumed each pattern as 32-bit. The decryption time in CCP-ABE is slower, since the decryption process of the CCP-ABE involves multiple pairing operations proportional to the number of attributes. In the WIBE, when the user receives the ciphertext, the user needs to delegate the ciphertext to match his own specific ID pattern, which costs point multiplications. However, in SWIBE, the user can simply adjust the secret key of his pattern to the ciphertext pattern, which costs only negligible point additions. Therefore, the decryption time in SWIBE remains as constant; SWIBE improves the decryption time by up to 3 times compared with the WIBE, and 650 times compared with the CCP-ABE. 5 10 15 20

Conclusions
In this paper, we propose a scalable wildcarded identity-based encryption (SWIBE), which is a new wildcarded identity-based encryption (WIBE) which first achieves the constant-size ciphertext. SWIBE supports the wildcard to be included both in encryption and key derivation, where one can encrypt messages to a group of users by using wildcards in the pattern, and one can delegate the secret key from the wildcard pattern to another identity string. We propose a standard IND-sID-CPA-secure SWIBE, and extend it to the IND-sID-CCA-secure SWIBE, both with formal security proofs. Then we also propose the fully-secure version of SWIBE, which overcomes the selective security. Our experimental results show that SWIBE improves the decryption time by 3, 10, and 650 times compared with the WIBE, WW-IBE, and CCP-ABE.