Keywords

1 Introduction

1.1 Motivation

Hierarchical identity-based encryption (HIBE) [16, 26] is a generalization of identity-based encryption (IBE) [36]. It offers more flexibility in sharing sensitive data than IBE or classical public-key encryption (PKE).

In an HIBE scheme, users’ identities are arranged in an organizational hierarchy and, more precisely, a hierarchical identity is a vector of identities of some length \(p>0\). As in an IBE scheme, anyone can encrypt a message with respect to an identity \(\mathsf {id}:=(\mathsf {id}_1,...,\mathsf {id}_{p})\) by access to only the public parameters. To decrypt this encrypted message, one of \(\mathsf {id}\)’s ascendants at level \(p'\) where \(0<p'<p\) can delegate a user secret key for \(\mathsf {id}\), in addition to asking the trusted authority for \(\mathsf {id}\)’s user secret key as in the IBE setting. Furthermore, a user at level \(p\) is not supposed to decrypt any ciphertext for a recipient who is not among its descendants.

The security we focus on in this paper is adaptive security, where an adversary is allowed to declare a fresh challenge identity \(\mathsf {id}^{\star }\) adaptively and obtain a challenge ciphertext of \(\mathsf {id}^{\star }\) after seeing user secret keys for arbitrary chosen identities and (master) public keys. It is a widely accepted security notion for both HIBE and IBE schemes. Most of the existing HIBE schemes in the standard model have a security loss of at least \(Q_e\) (such as [6, 9]) or even \(Q_e^{L}\) [39], where \(Q_e\) is the maximum number of user secret key queries and \(L\) is the maximum hierarchy depth. Constructions from recent work of Langrehr and Pan (LP) [29, 30] are the known exceptions. Their security loss depends only on the security parameter, but not \(Q_e\). However, their master public key sizeFootnote 1 depends on \(L\). As \(L\) grows, the master public key becomes larger.

In particular, the maximum hierarchy depth \(L\) needs to be fixed in the setup phase. Once it is fixed and master public keys are generated, there is no way to add new levels into the hierarchy. This can be an undesirable burden to deploy HIBE in practice since institutions grow rapidly nowadays. Hence, it is more desirable to construct a tightly secure HIBE scheme whose master public keys are independent of the maximum hierarchy depth.

We note that the limitation mentioned above exists not only in the LP schemes but also in almost all the HIBE schemes even with non-tight security in the standard model. The notion of unbounded HIBE from Lewko and Waters [33] is proposed to overcome this limitation. In an unbounded HIBE, the whole scheme is not bounded to the maximum depth \(L\). In particular, its master public keys, user secret keys and ciphertexts are all independent of \(L\). (Though the user secret keys and ciphertexts can still depend on the actual hierarchy depth of the identity.) They and the follow-up work [18, 31] give constructions of unbounded HIBE in composite- and prime-order pairing groups, respectively, to implement this notion. Unfortunately, none of these constructions is tight.

Our goal: Tightly secure unbounded HIBE. In this paper, we aim at constructing unbounded HIBE with tight reductions based on standard assumptions. We start recalling tight security and then give some reasons about why it is technically challenging to achieve this goal.

A security reduction is usually used to prove the security of a cryptographic scheme \(S\) by reducing any attacker \(\mathcal {A}\) against \(S\) to an attacker \(\mathcal {R}\) against a corresponding computational hard problem \(P\) in an efficient way. After that, we can conclude that breaking the security of \(S\) is at least as hard as solving \(P\). More precisely, we establish a relation that states \(\varepsilon _{\mathcal {A}} \le \ell \cdot \varepsilon _{\mathcal {R}}\). Here \(\varepsilon _{\mathcal {A}}\) and \(\varepsilon _{\mathcal {R}}\) are success probability of \(\mathcal {A}\) and \(\mathcal {R}\), respectively, and for simplicity we ignore the additive negligible terms and assume that the running time of \(\mathcal {R}\) is approximately the same as that of \(\mathcal {A}\).

Ideally, we want a reduction to be tight, namely, \(\ell \) to be a small constant. Recent works are also interested in “almost tight security”, where \(\ell \) may be (for instance, linearly or logarithmically) dependent on the security parameter, but not the size of \(\mathcal {A}\). We will not distinguish these two tightness notions, but state the precise security loss in security proofs and comparison of schemes. A tight security reduction means the security of \(S\) is tightly coupled with the hardness of \(P\). A scheme with tight reductions is more desirable since it provides the same level of security regardless of the application size. Moreover, we can implement it with smaller parameters and do not need to compensate for the security loss. As a result, tightly secure schemes drew a lot of attention in the last few years, from basic primitives, such as PKE [13, 14, 21] and signature [1, 15] schemes, to more advanced ones, such as (non-interactive) key exchange [10, 17, 22], zero-knowledge proof [2, 3], IBE [6, 9, 20, 23] and functional encryption [37] schemes. Currently, research is carried out to reduce the cost for tight security. For instance, for PKE, the public key size is shortened from being linear [13] (in the security parameter) to constant [14, 21]. In particular, the scheme in [14] only has one element more in the ciphertext overhead than its non-tight counterpart [28] asymptotically. By taking the concrete security loss into account, we are optimistic that scheme in [14] will have shorter ciphertext length in terms of bits.

Difficulties in achieving our goal. Given the existing research, it is quite challenging to construct a tightly secure HIBE, even for a bounded one. Firstly, the potential difficulty of this task has been shown by Lewko and Waters [34], namely, it is hard to prove an HIBE scheme with security loss less than exponential in \(L\), if its user secret keys are rerandomizable over all “functional” keys. Secondly, the work of Blazy, Kiltz, and Pan (BKP) [6] is the first that claimed to have solved this challenge by proposing a bounded tightly secure HIBE. Their scheme has indeed bypassed the impossibility result of [34] by having its user secret keys only rerandomizable in a subspace of all “functional” keys, which is similar to schemes based on the dual system technique [9, 32]. Unfortunately, shortly after its publication, a technical flaw was found in their proof, which shows that their proof strategy is insufficient for HIBE with flexible identity depth.

Recently, Langrehr and Pan have proposed the first tightly secure HIBE in the standard model [29]. A very recent and concurrent work [30] improves this HIBE and proposes a tightly secure HIBE in the multi-challenge setting. Core techniques in both papers crucially require their master public key size depend on the maximum hierarchy, \(L\). More precisely, they need to know \(L\) in advance so that they can choose independent master secret keys for different levels, which will be turned into master public keys. With these relatively large master secret keys, they can apply their independent randomization to isolate randomization for identities with different maximum levels. As a result, their scheme is bounded to the maximum level \(L\) of the whole HIBE scheme and its master public key size is dependent on \(L\).

1.2 Our Contribution

We construct the first tightly secure unbounded HIBE based on standard assumptions. Our scheme is furthermore tightly multi-challenge secure. The multi-challenge security is a more realistic notion for (H)IBE, where an adversary is allowed to query multiple challenge identities adaptively and obtain the corresponding ciphertexts. It has comparable efficiency to its non-tight counterparts [18, 31], and, in particular, it has shorter ciphertext and user secret key than the scheme of [31]. At the core of our construction is a novel technique that allows us to prove tight adaptive security of HIBE with “small”, hierarchy-independent master public keys.

More precisely, the identity space for our scheme \(\mathcal {ID}:=\mathcal {S}^*\) has unbounded depth and the base set \(\mathcal {S}\) can be arbitrary. In this section, we consider \(\mathcal {S}:=\{0,1\}^{n}\) for simplicity, where \(n\) is the security parameter. The master public key of our scheme is independent of \(L\) and contains only \(\mathbf {O}(n)\)-many group elements, which is the same as the existing tightly secure IBE schemes [6, 9, 20, 23].

All our security proofs are in the standard model and based on the Matrix Decisional Diffie-Hellman (MDDH) assumption [11] in prime-order asymmetric pairing groups. The MDDH assumption is a generalization of a class of Decisional Diffie-Hellman assumptions, such as the k-Lin [24] and aSymmetric eXternal Diffie-Hellman (SXDH) (for \(k=1\)) assumptions. The security of our MAC requires an additional assumption on the existence of collision-resistant hash functions. There exist collision-resistant hash functions in the standard model that maps arbitrary-length bit-strings to fixed-length ones using fixed-length keys. For instance, one can use the Merkle-Damgård construction with hash functions from the SHA familiy or the less efficient but completely provably secure one from the discrete logarithm assumption.

Efficiency comparison. We compare the efficiency of bounded and unbounded HIBE schemes in the standard model with prime-order pairings in Table 1. We note that [35] achieves a weaker notion of unbounded HIBE in the sense that their master public key is independent of \(L\), but the size of the user secret key is dependent on \(L\). More precisely, their user secret key contains \(\mathbf {\varOmega }(L-p)\)-many group elements for an identity \(\mathsf {id}:=(\mathsf {id}_1,\ldots ,\mathsf {id}_p)\).

According to Table 1, our scheme has shorter ciphertexts and user secret keys than \(\mathsf {Lew12}\), which is comparable to \(\mathsf {GCTC16}\). We note that both \(\mathsf {Lew12}\) and \(\mathsf {GCTC16}\) are unbounded HIBE with non-tight reductions, while ours are tight. Thus, when accounting for a larger security loss in the reduction with larger groups, our scheme may have shorter ciphertexts and user secret keys than \(\mathsf {GCTC16}\) at the concrete level. We want to emphasize that our scheme is not fully practical yet, but it lays down a theoretical foundation for more efficient unbounded HIBE with tight security in the future.

Extensions. Our unbounded HIBE scheme directly implies a tightly secure unbounded identity-based signature by the Naor transformation. Furthermore, our HIBE is compatible with the Quasi-Adaptive NIZK (QANIZK) for linear subspaces and thus, similar to [23] it can be combined with a tightly simulation-sound QANIZK to construct a tightly CCA-secure unbounded HIBE in the multi-challenge setting. We give a detailed treatment in the full version for completeness.

Table 1. Comparison of bounded and unbounded HIBEs in prime-order pairing groups with adaptive security in the standard model based on static assumptions. The second column indicates whether an HIBE is bounded (✗) or unbounded (✓). The identity space for bounded HIBE is \((\{0,1\}^{n})^{\le L}\) and that for unbounded HIBE is \((\{0,1\}^{n})^*\). \(\gamma \) is the bit length of the range of a collision-resistant hash function. ‘\(|\mathsf {mpk}|\),’ ‘\(|\mathsf {usk}|\),’ and ‘\(|\mathsf {C}|\)’ stand for the size of the master public key, a user secret key and a ciphertext, respectively. We count the number of group elements in \(\mathbb {G}_1, \mathbb {G}_2\), and \(\mathbb {G}_T\). For a scheme that works in symmetric pairing groups, we write \(\mathbb {G}(:=\mathbb {G}_1=\mathbb {G}_2)\). In the ‘\(|\mathsf {usk}|\)’ and ‘\(|\mathsf {C}|\)’ columns \(p\) stands for the hierarchy depth of the identity vector. In bounded HIBEs, \(L\) denotes the maximum hierarchy depth. In the security loss, \({Q}_{\mathsf {e}}\) denotes the number of user secret key queries by the adversary. MC stands for multi-challenge and this column indicates whether the adversary is allowed to query multiple challenge ciphertexts (✓) or just one (✗). \(\mathsf {Lew12}\) is the prime-order variant of the unbounded scheme in [33].
Full size table

1.3 Technical Overview

To achieve our goal, we develop a novel tight method that uses (limited) entropy hidden in hierarchy-independent master public key to generate enough entropy to randomize user secret keys of identities with unbounded hierarchy depths (in a computational manner). As a bonus, our technique naturally give us tight multi-challenge security.

A modular treatment: From MAC to HIBE. We follow the modular approach of Blazy, Kiltz, and Pan (BKP) [6] to construct our unbounded HIBE. The basis of our construction is a novel tightly secure message authentication code (MAC). Our MAC has suitable algebraic structures and thus can be turned into an unbounded HIBE tightly by adapting the BKP framework.

The BKP framework [6] tightly reduces constructing an (H)IBE to a suitable affine MAC. As a result, we only need to focus on constructing the suitable MAC. Affine MACs are algebraic MACs that have affine structures, and such structures allow transformation to (H)IBEs. This framework abstracts the first tightly secure IBE from Chen and Wee (CW) [9] and can be viewed as extending the “MAC \(\rightarrow \) Signature” framework of Bellare and Goldwasser [5] to the IBE setting by using the affine structure and pairings. Most of the tightly secure IBE and HIBE schemes are related to this framework, such as [19, 20, 23, 25, 29, 30].

Preparation: Shrinking the message space via hashing. We first apply a collision-resistant hash function to shrink the message space which the “bit-by-bit” argument applies on. More precisely, let \(H: \{0,1\}^* \rightarrow \{0,1\}^{n}\) be a collision-resistant hash function. For an (unbounded) hierarchical message \(\mathsf {m}:=(\mathsf {m}_1,\ldots ,\mathsf {m}_p) \in (\{0,1\}^n)^{p}\), we hash every i-th prefix (\(1\le i \le p\)) and have the hashed message \(\mathsf {hm}:=(\mathsf {hm}_1, \mathsf {hm}_2, \ldots , \mathsf {hm}_p)\) where \(\mathsf {hm}_i:=H(\mathsf {m}_1,\ldots ,\mathsf {m}_{i}) \in \{0,1\}^n\). The collision-resistance guarantees that it is hard for an adversary to find two distinct \(\mathsf {m}\) and \(\mathsf {m}^{\star }\) messages with \(H(\mathsf {m}) = H(\mathsf {m}^{\star })\). In particular, after hashing every prefixes of a message, if a hierarchical message \(\mathsf {m}\) is not a prefix of \(\mathsf {m}^{\star }\), then the last hash value of \(\mathsf {m}\) is different to every hash value of \(\mathsf {m}^{\star }\). As a result, our argument is only applied on the last hash value.

Our strategy: “Inject-and-Pack”. Our strategy contains two steps: (1) injecting enough randomness into MAC tags locally and (2) packing the local randomness and lift it up to the global level. Both steps are compatible with each other, and they only rely on the limited entropy in the hierarchy-independent MAC keys and can provide tight security even in the multi-challenge setting.

Our MAC has the following structures that enable our “inject-and-pack” strategy. This is captured by our MAC scheme \(\mathsf {MAC}_{u}\) in Sect. 3.2.

For a hierarchical message \(\mathsf {m}:=(\mathsf {m}_1,\ldots ,\mathsf {m}_{p})\), our MAC tag \(\tau _{\mathsf {m}}:=( (\left[ \mathbf {{t}}_i\right] _2,\left[ \tilde{\mathbf {{t}}}_i\right] _2,[\mathbf {{u}}_i]_2 )_{1\le i\le p}, [\tilde{\mathbf {{u}}}]_2)\) has the following form:

(1)

where , Footnote 2, for \(1\le j \le n, b\in \{0,1\}\) and and and they are all contained in the secret key of our MAC, namely, \(\mathsf {sk}_{\mathsf {MAC}}:=(\mathbf {{B}},\tilde{\mathbf {{B}}},(\mathbf {{X}}_{j,b})_{\text {for }1\le j \le n, b\in \{0,1\}}, \tilde{\mathbf {{X}}}_{1}, \tilde{\mathbf {{X}}}_{2},\mathbf {{x}}')\). Here the (hierarchical) message space of a MAC is the identity space of the resulting HIBE.

We highlight different purposes of different parts in our MAC tags:

  • randomizing is our end goal. In the resulting HIBE, once \(\mathbf {{x}}'\) is randomized, it will further randomize challenge ciphertexts;

  • the linear part, , is used to inject randomness;

  • with the packing helpers, and , we can transfer the injected randomness in \(\mathbf {{u}}_{p}\) to randomize .

We will discuss how to choose the dimensions of these random matrices and vectors to enable our strategy.

Before that, we stress that it is crucial to generate \((\left[ \mathbf {{t}}_i\right] _2,\left[ \tilde{\mathbf {{t}}}_i\right] _2,[\mathbf {{u}}_i]_2 )\) for all \(1\le i \le p\) and \(\mathsf {hm}_i:=H(\mathsf {m}_1,...,\mathsf {m}_i)\) so that we can delegate and randomize MAC tags for further levels by publishing \((\left[ \mathbf {{B}}\right] _2,\left[ \tilde{\mathbf {{B}}}\right] _2, (\left[ \mathbf {{X}}_{j,b} \mathbf {{B}}\right] _2)_{j,b}, \left[ \tilde{\mathbf {{X}}}_{1} \tilde{\mathbf {{B}}}\right] _2,\left[ \tilde{\mathbf {{X}}}_{2} \tilde{\mathbf {{B}}}\right] _2)\). Details about public delegation can be found in Remark 1 and the full version.

Interlude: Security requirement. The MAC security we need for the “MAC-to-HIBE” transformation is pseudorandomness against adaptive chosen message attacks, which is a decisional version of the \(\mathsf {EUF}\text {-} \mathsf {CMA}\) security of MAC. To simplify our discussion, we use the \(\mathsf {EUF}\text {-} \mathsf {CMA}\) notion only in this chapter, but in the main body we prove the decisional one. In the \(\mathsf {EUF}\text {-} \mathsf {CMA}\) security game, an adversary can adaptively ask many MAC tag queries and at some point it will submit one forgery. For the multi-challenge security, we allow the adversary submit multiple forgeries. Here we only consider one forgery for simplicity. Note that our technique works tightly for multiple forgeries.

Local step: Injecting randomness. Here we only focus terms in the solid box of Eq. (1) and find a right way to define the dimensions to implement the injection strategy. We note that one cannot use the idea of BKP MAC here, since it uses a square full-rank matrix \(\mathbf {{B}}\in \mathbb {Z}_q^{k\times k}\) and there is no room to hide \(\mathbf {{X}}_{j,b}\) from the published terms \(\left[ \mathbf {{X}}_{j,b} \mathbf {{B}}\right] _2\). These terms have to be public to delegate secret keys, while it is not a problem for IBE. Moreover, the same \((\mathbf {{X}}_{j,b})_{1\le j\le n, b\in \{0,1\}}\) is re-used for all \(\mathbf {{u}}_{i}\) and the injected randomness will be leaked along them, which is another issue we encounter with the BKP MAC.

To have control on where to inject randomness, we increase the number of row vectors in , namely, \({n_1}:=3k\), as the LP method in [29], where are row vectors. Now the column space of \(\mathbf {{B}}\), \(\mathsf {Span}(\mathbf {{B}}):=\{ \mathbf {{v}} \mid \exists \mathbf {{w}}\in \mathbb {Z}_q^k \text { s.t. } \mathbf {{v}}= \mathbf {{B}}\cdot \mathbf {{w}} \}\), is a subspace of \(\mathbb {Z}_{q}^{3k}\) and there is a non-zero kernel matrix \(\mathbf {{B}}^{\perp }\in \mathbb {Z}_q^{3k \times 2k}\) such that \((\mathbf {{B}}^{\perp })^{\top } \mathbf {{B}} = \mathbf {{0}} \in \mathbb {Z}_q^{2k\times k}\). \(\mathsf {Span}(\mathbf {{B}}^{\perp })\) is orthogonal to \(\mathsf {Span}(\mathbf {{B}})\).

We introduce a random function “inside” \(\mathsf {Span}(\mathbf {{B}}^{\perp })\) by tight reductions to the MDDH assumption and all \(\mathbf {{u}}_i\) (\(1\le i\le p\)) in Eq. (1) will distribute according to the following new form:

$$\begin{aligned} \mathbf {{u}}_{i} := \Big (\sum \nolimits _{j=1}^{n} \mathbf {{X}}_{j,{\mathsf {hm}_i}\llbracket j \rrbracket }^\top + {\mathsf {RF}(\mathsf {hm}_i) \cdot (\mathbf {{B}}^{\perp })^{\top }}\Big ) \mathbf {{t}}_i+ \tilde{\mathbf {{X}}}_{1} \tilde{\mathbf {{t}}}_i \in \mathbb {Z}_q\,.\end{aligned}$$
(2)

Now \(\mathsf {RF}(\mathsf {hm}_i)\) is multiplied by \(\mathbf {{B}}^{\perp }\) and we can control where it gets introduced by choose \(\mathbf {{t}}_i \notin \mathsf {Span}(\mathbf {{B}})\). More precisely, we only introduce the random function, \(\mathsf {RF}\), in \(\mathbf {{u}}_p\) at level \(p\) for a hierarchical identity \(\mathsf {m}:=(\mathsf {m}_1, ..., \mathsf {m}_p)\).

The above idea is borrowed from [29], but it is still not enough to correctly inject randomness: It only helps us to hide \(\mathsf {RF}\) in MAC tag queries, but we still have issue in answering the verification query for an adversary’s forgery. The issue described below does not happen in the BKP and LP [29] schemes, since our MAC has more expressive structure. More precisely, on a forgery of message \(\mathsf {m}^{\star }:=(\mathsf {m}^{\star }_1,...,\mathsf {m}^{\star }_p)\), we need to verify whether the forgery satisfies Eq. (1), which form an explicit hierarchy. Since we have no control of how an adversary computes its random \(\mathbf {{t}}_i^\star \), in answering one verification query, we compute \(\mathsf {RF}\) on \(p\) many distinct messages, . This leaks too much information about \(\mathsf {RF}\).

Our solution is to increase the number of row vectors in \(\mathbf {{X}}_{j,b}\) from 1 to k, namely, \({n_4}:=k\). As a result, there is room for us to use an assumption (namely, the MDDH assumption [11]) to tightly inject randomness into these row vectors. Thus, in the end, verification equations defined by Eq. (1) get randomized and the information about \(\mathsf {RF}\) is properly hidden. We refer Lemma 4 for technical details. The whole core step is formally captured by the Randomness Injection Lemma (cf. Lemma 4). Furthermore, this lemma abstracts the core ideas of [30].

Global step: Packing randomness. After the randomness is injected in \(\mathbf {{u}}_i\) at the local level, we pack and move it into the global level to randomize \(\mathbf {{x}}'\) which will be use to randomize the challenge ciphertexts. Implicitly, we pack the randomness firstly in \(\tilde{\mathbf {{t}}}_{p}\) for an identity has \(p\) levels via the packing helper \(\tilde{\mathbf {{X}}}_{1} \tilde{\mathbf {{t}}}_p\). Secondly, via another packing helper \( \tilde{\mathbf {{X}}}_{2} \tilde{\mathbf {{t}}}_p\), we move the randomness into \(\tilde{\mathbf {{u}}}\).

We choose , namely, \({n_2}:=2k\), so that there is enough room to implement the above packing steps. Although the randomness is successfully injected, it may be leaked from MAC tag and verification queries during the packing process. In particular, we have small MAC secret keys. To accomplish the task, we carefully design several intermediate hybrid steps and apply the MDDH assumption several times. We refer Lemma 5 for details. The whole core step is formally captured by the Randomness Packing Lemma (cf. Lemma 5).

An alternative interpretation: Localizing HIBEs into IBEs, tightly. In contrast to the methods of Langrehr and Pan [29, 30], our overall idea can be viewed as localizing a p-level HIBE into p IBE pieces which share the same master public and secret keys, and p is an arbitrary integer. In the security proof, we generate enough entropy locally and then extract it to the global level to argue the security of HIBE. Such an idea is borrowed from [18, 31, 33], where some variants of Boneh-Boyen’s IBE [7] are used at the local level and all these IBE pieces are connected via a secret sharing method. However, implementing this idea with tight reductions is rather challenging, even with the existing tightly secure (H)IBEs (such as [6, 9, 20, 29, 30]). We observed that these techniques either fail to introduce local entropy or cannot collect the local randomness to argue the security of the (global) HIBE.

1.4 More Discussion on Related Work

The family of LP HIBE schemes. To implement the “level-by-level” argument, the LP HIBEs [29, 30] require the size of master public keys dependent on the maximum hierarchy depth, \(L\), so that they have enough entropy to randomize corresponding MAC tags.

Our approach provides an economic, tightly secure technique to do the randomization with more compact and hierarchy-independent master keys. Our technique uses and abstracts the core technique in a very recent and concurrent work [30] to inject randomness. As we showed above, injecting randomness is not enough for our goal and we require an additional suitable randomness packing technique. [30] achieves tight multi-challenge security for bounded HIBE, while ours is for unbounded HIBE.

Other techniques for tight multi-challenge security. Over the last few years, several techniques have been proposed for tightly secure IBE in the multi-challenge setting, such as [4, 19, 20, 23, 25], where [4, 19] are based on strong and non-standard assumptions and [25] requires a composite-order group. Motivated by [25], the work of [20, 23] construct the tightly multi-challenge secure IBE schemes in the prime-order group and they both follow the BKP method. They have the same limitation as discussed in the “Local Step: Injecting randomness” section and cannot be used for our goal, since their \(\mathbf {{B}}\) is also full-rank square matrix. The same kind of information about \(\mathbf {{X}}_{j,b}\) is leaked.

Furthermore, in the work of Hofheinz, Jia, and Pan [23] (also in [20] and BKP), they randomize their MAC by developing a random function, \(\mathsf {RF}\), in the \(\mathbb {Z}_q\) full space gradually. This is problematic in the unbounded HIBE setting: When we “plug” their MAC into our framework, there is no room to hide \(\mathsf {RF}\) and by a “mix-and-match” approach an adversary can learn , where . Imagine a challenge message \(\mathsf {m}^{\star }\in \{0,1\}^{n}\). By asking a MAC tag of \((\mathsf {m}^{\star },\mathsf {m})\), an adversary can easily learn from \(\mathbf {{u}}_1\). Finally, [29] has discussed why these multi-challenge security techniques cannot be used for HIBEs.

Other unbounded technique. Chen et al. [8] proposes a variant of the bilinear entropy expansion lemma [27] in prime-order groups, which can be used to transform a (bounded) attribute-based encryption (ABE) scheme to an unbounded one in a tight manner. However, we note that their lemma requires a certain algebraic structure of the underlying scheme, which the LP schemes [29, 30] do not have. Moreover, they only prove their scheme in the single-challenge setting, and it is not clear for us whether their single-challenge security tightly implies multi-challenge security.

Open problems. It is interesting to consider if we can extend our “inject-and-pack” strategy in a more general setting, such as predicate encryption schemes. Another open problem is to consider the Master-Key-KDM security [12] for HIBEs. Garg et al. [12] proposed a Master-Key-KDM secure IBE based on a tightly multi-challenge secure IBE. We are optimistic that our unbounded HIBE can be adapted to achieve the KDM security by following the approach of Garg et al., since our scheme has tight multi-challenge security as well. However, we leave a formal treatment of it as an open problem.

2 Preliminaries

Notations. We use to denote the process of sampling an element x from \(\mathcal {S}\) uniformly at random if \(\mathcal {S}\) is a set and to denote the process of running \(\mathcal {S}\) with its internal randomness and assign the output to x if \(\mathcal {S}\) is an algorithm. The expression stands for comparing a and b on equality and returning the result in Boolean value. For positive integers \(k, \eta \in \mathbb {N}_+\) and a matrix , we denote the upper square matrix of by and the lower \(\eta \) rows of by . Similarly, for a column vector \(\mathbf {{v}} \in \mathbb {Z}_q^{k+\eta }\), we denote the upper k elements by \(\overline{\mathbf {{v}}} \in \mathbb {Z}_q^{k}\) and the lower \(\eta \) elements of \(\mathbf {{v}}\) by \(\underline{\mathbf {{v}}} \in \mathbb {Z}_q^{\eta }\). We use as shorthand for . \(\mathsf {GL}_{k}\left( \mathbb {Z}_q\right) \) denotes the set of invertible \(k\times k\) matrices in \(\mathbb {Z}_q\). is the \(k \times k\) identity matrix. For a matrix , we use to denote the linear span of and – unless state otherwise – denotes an arbitrary matrix with .

For a set \(\mathcal {S}\) and \(n\in \mathbb {N}_+\), \(\mathcal {S}^{n}\) denotes the set of all n-tuples with components in \(\mathcal {S}\) and \(\mathcal {S}^{*}:=\bigcup _{n=1}^{\infty }\mathcal {S}^{n}\). For an n-tuple or string \(\mathsf {m}\in \mathcal {S}^{n}\), \(\mathsf {m}_i\in \mathcal {S}\) and both denote the i-th component of \(\mathsf {m}\) (\(1\le i\le n\)) and \(\mathsf {m}_{|i}\in \mathcal {S}^i\) denotes the prefix of length i of \(\mathsf {m}\).

All algorithms in this paper are probabilistic polynomial-time unless we state otherwise. If \(\mathcal {A}\) is an algorithm, then we write to denote the random variable outputted by \(\mathcal {A}\) on input b.

Games. Following [6], we use code-based games to define and prove security. A game contains procedures \(\textsc {Init}\) and \(\textsc {Finalize}\), and some additional procedures , which are defined in pseudo-code. Initially all variables in a game are undefined (denoted by \(\bot \)), all sets are empty (denote by \(\emptyset \)), and all partial maps (denoted by \(f:A\dashrightarrow B\)) are totally undefined. An adversary \(\mathcal {A}\) is executed in game (denote by ) if it first calls \(\textsc {Init}\), obtaining its output. Next, it may make arbitrary queries to \(\textsc {P}_i\) (according to their specification), again obtaining their output. Finally, it makes one single call to \(\textsc {Finalize}(\cdot )\) and stops. We use to denote that outputs d after interacting with \(\mathcal {A}\), and d is the output of \(\textsc {Finalize}\). \(T\left( \mathcal {A}\right) \) denotes the running time of \(\mathcal {A}\).

2.1 Pairing Groups and Matrix Diffie-Hellman Assumptions

Let \(\mathsf {GGen}\) be a probabilistic polynomial-time (PPT) algorithm that on input \(1^\lambda \) returns a description \(\mathcal {G}:=\left( \mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,q,{P}_1,{P}_2,e\right) \) of asymmetric pairing groups where \(\mathbb {G}_1\), \(\mathbb {G}_2\), \(\mathbb {G}_T\) are cyclic groups of order q for a \(\lambda \)-bit prime q. The group elements \({P}_1\) and \({P}_2\) are generators of \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively. The function \(e: \mathbb {G}_1\times \mathbb {G}_2\rightarrow \mathbb {G}_T\) is an efficient computable (non-degenerated) bilinear map. Define \({P}_T:=e({P}_1, {P}_2)\), which is a generator in \(\mathbb {G}_T\). In this paper, we only consider Type III pairings, where \(\mathbb {G}_1\ne \mathbb {G}_2\) and there is no efficient homomorphism between them. All constructions in this paper can be easily instantiated with Type I pairings by setting \(\mathbb {G}_1=\mathbb {G}_2\) and defining the dimension k to be greater than 1.

We use the implicit representation of group elements as in [11]. For \(s \in \) \(\{1,2,T\}\) and \(a \in \mathbb {Z}_q\) define \([a]_s = a {P}_s\in \mathbb {G}_s\) as the implicit representation of a in \(\mathbb {G}_s\). Similarly, for a matrix we define as the implicit representation of in \(\mathbb {G}_s\). denotes the linear span of , and similarly . Note that it is efficient to compute given or with matching dimensions. We define , which can be efficiently computed given and .

Next we recall the definition of the matrix Diffie-Hellman (\(\mathsf {MDDH}\)) and related assumptions [11].

Definition 1

(Matrix distribution). Let \(k,\ell \in \mathbb {N}\) with \(\ell >k\). We call \(\mathcal {D}_{\ell ,k}\) a matrix distribution if it outputs matrices in \(\mathbb {Z}_q^{\ell \times k}\) of full rank k in polynomial time.

Without loss of generality, we assume the first k rows of form an invertible matrix. The \(\mathcal {D}_{\ell ,k}\)-matrix Diffie-Hellman problem is to distinguish the two distributions and where , and .

Definition 2

(\(\mathcal {D}_{\ell ,k}\)-matrix Diffie-Hellman assumption). Let \(\mathcal {D}_{\ell ,k}\) be a matrix distribution and \(s \in \{1,2,T\}\). We say that the \(\mathcal {D}_{\ell ,k}\)-matrix Diffie-Hellman (\(\mathcal {D}_{\ell ,k}\text {-}\mathsf {MDDH}\)) assumption holds relative to \(\mathsf {PGGen}\) in group \(\mathbb {G}_s\) if for all PPT adversaries \(\mathcal {A}\), it holds that

is negligible where the probability is taken over , and .

The uniform distribution is a particular matrix distribution that deserves special attention, as an adversary breaking the \(\mathcal {U}_{\ell ,k}\) assumption can also distinguish between real \(\mathsf {MDDH}\) tuples and random tuples for all other possible matrix distributions. For uniform distributions, they stated in [13] that \(\mathcal {U}_{k}\text {-}\mathsf {MDDH}\) and \(\mathcal {U}_{\ell ,k}\text {-}\mathsf {MDDH}\) assumptions are equivalent.

Definition 3

(Uniform distribution). Let \(k,\ell \in \mathbb {N}_+\) with \(\ell >k\). We call \(\mathcal {U}_{\ell ,k}\) a uniform distribution if it outputs uniformly random matrices in \(\mathbb {Z}_q^{\ell \times k}\) of rank k in polynomial time. Let \(\mathcal {U}_k:=\mathcal {U}_{k+1,k}\).

Lemma 1

(\(\mathcal {U}_{\ell ,k}\text {-}\mathsf {MDDH}\Leftrightarrow \mathcal {U}_k\text {-}\mathsf {MDDH}\) [13]). Let \(\ell ,k\in \mathbb {N}_+\) with \(\ell >k\). An \(\mathcal {U}_{\ell ,k}\text {-}\mathsf {MDDH}\) instance is as hard as an \(\mathcal {U}_k\text {-}\mathsf {MDDH}\) instance. More precisely, for each adversary \(\mathcal {A}\) there exists an adversary and vice versa with

and \(T\left( \mathcal {A}\right) \approx T\left( \mathcal {B}\right) \).

Lemma 2

(\(\mathcal {D}_{\ell ,k}\text {-}\mathsf {MDDH}\Rightarrow \mathcal {U}_k\text {-}\mathsf {MDDH}\) [11]). Let \(\ell ,k\in \mathbb {N}_+\) with \(\ell >k\) and let \(\mathcal {D}_{\ell ,k}\) be a matrix distribution. A \(\mathcal {U}_k\text {-}\mathsf {MDDH}\) instance is at least as hard as an \(\mathcal {D}_{\ell ,k}\) instance. More precisely, for each adversary \(\mathcal {A}\) there exists an adversary \(\mathcal {B}\) with

$$ \mathsf {Adv}^{\mathsf {mddh}}_{\mathcal {U}_{k},\mathsf {PGGen},s}(\mathcal {A})\le \mathsf {Adv}^{\mathsf {mddh}}_{\mathcal {D}_{\ell ,k},\mathsf {PGGen},s}(\mathcal {B}) $$

and \(T\left( \mathcal {A}\right) \approx T\left( \mathcal {B}\right) \).

For \(Q \in \mathbb {N}_+\), , consider the Q-fold \(\mathcal {D}_{\ell ,k}\text {-}\mathsf {MDDH}\) problem which is distinguishing the distributions and . That is, the Q-fold \(\mathcal {D}_{\ell ,k}\text {-}\mathsf {MDDH}\) problem contains Q independent instances of the \(\mathcal {D}_{\ell ,k}\text {-}\mathsf {MDDH}\) problem (with the same but different \(\mathbf {{w}}_i\)). By a hybrid argument, one can show that the two problems are equivalent, where the reduction loses a factor Q. The following lemma gives a tight reduction.

Lemma 3

(Random self-reducibility [11]). For \(\ell >k\) and any matrix distribution \(\mathcal {D}_{\ell ,k}\), the \(\mathcal {D}_{\ell ,k}\text {-}\mathsf {MDDH}\) assumption is random self-reducible. In particular, for any \(Q\in \mathbb {N}_+\) and any adversary \(\mathcal {A}\) there exists an adversary \(\mathcal {B}\) with

figure bn

where , , , , and \(T\left( \mathcal {B}\right) \approx T\left( \mathcal {A}\right) +Q\cdot \mathsf {poly}\left( \lambda \right) \), where \(\mathsf {poly}\) is a polynomial independent of \(\mathcal {A}\).

To reduce the Q-fold \(\mathcal {U}_{\ell ,k}\text {-}\mathsf {MDDH}\) assumption to the \(\mathcal {U}_{k}\text {-}\mathsf {MDDH}\) assumption we have to apply Lemma 3 to get from Q-fold \(\mathcal {U}_{\ell ,k}\text {-}\mathsf {MDDH}\) to standard \(\mathcal {U}_{\ell ,k}\text {-}\mathsf {MDDH}\) and then Lemma 1 to get from \(\mathcal {U}_{\ell ,k}\text {-}\mathsf {MDDH}\) to \(\mathcal {U}_{k}\text {-}\mathsf {MDDH}\). Thus for every adversary \(\mathcal {A}\) there exists an adversary \(\mathcal {B}\) with

$$ \mathsf {Adv}^{Q\text {-}\mathsf {mddh}}_{\mathcal {U}_{\ell ,k},\mathsf {PGGen},s}(\mathcal {A})\le \left( \ell -k\right) \mathsf {Adv}^{\mathsf {mddh}}_{\mathcal {U}_{k},\mathsf {PGGen},s}(\mathcal {B})+\frac{1}{q-1}\,.$$

Formal definitions of collision-resistant hash functions (CRHF) and message authentication codes (MACs) can be found in the full version.

3 Unbounded Affine MAC

3.1 Core Lemmata

The following two core Lemmata contain the main ingredient for the security proof of our new unbounded MAC. They form the main technical novelty of this work. Lemma 4 abstracts the technique used in [30]. It shows that the prototypic MAC \(\mathsf {MAC}_{\mathsf {lin}}\) allows the injection of randomness in the tags.

We give a brief overview of how \(\mathsf {MAC}_{u}\) is constructed from \(\mathsf {MAC}_{\mathsf {lin}}\): For a p-level hierarchical message \(\mathsf {m}:=(\mathsf {m}_1,\ldots ,\mathsf {m}_p) \in (\{0,1\}^{\gamma })^p\), we divide it into p pieces and each where H is a collision-resistant hash function (CRHF). For each we apply \(\mathsf {MAC}_{\mathsf {lin}}\) on it and the purpose of \(\mathsf {MAC}_{\mathsf {lin}}\) is to inject suitable randomness at the local level.

Lemma 5 is then used to move the entropy from \(\mathbf {{u}}_{p}\) to the vector \(\tilde{\mathbf {{u}}}\) and randomize it. This makes the user secret keys information-theoretically independent from the secret \(\mathbf {{x}}'\) and allows us to randomize \(h_K\) in the \(\textsc {Chal}\) queries.

Fig. 1.
figure 1

Our linear MAC \(\mathsf {MAC}_{\mathsf {lin}}\) for the message space

Full size image

Randomness Injection Lemma. We start our exposition with a message authentication code (MAC) with linear structureFootnote 3 in Fig. 1, \(\mathsf {MAC}_{\mathsf {lin}}\). This MAC scheme is abstracted from [30]. The tags of this MAC can be verified by checking whether , but we require the more sophisticated randomized verification procedure as in Fig. 1 for the transformation to an unbounded HIBE later.

The MAC \(\mathsf {MAC}_{\mathsf {lin}}\) is correct, since

Our \(\mathsf {MAC}_{\mathsf {lin}}\) is a stepping stone for our unbounded MAC for constructing HIBEs. For the transformation to unbounded HIBE our \(\mathsf {MAC}_{\mathsf {lin}}\) satisfies a special security notion which is captured by Lemma 4. This security notion needs to combine with Lemma 5 to get a secure MAC for the unbounded HIBE (cf. Sect. 3.2).

In the security experiment (defined in Fig. 2), the adversary gets values in \(\mathsf {dk}_1\) that allow her to rerandomize tags. These values also allows her to forge arbitrary tags. This is the reason why it is not a secure MAC, but the goal of the adversary here is not to forge a tag, but to distinguish two games \(\mathsf {RI}_{\mathsf {real}}\) and \(\mathsf {RI}_{\mathsf {rand}}\). More precisely, \(\mathcal {A}\) gets access to two oracles, \(\textsc {Eval}_{\mathsf {ri}}\) that gives her a tag for a message, and \(\textsc {Chal}_{\mathsf {ri}}\) that gives her necessary values to check validity of a tag. She can query these two oracles arbitrary times in an adaptive manner, but for each message \(\mathcal {A}\) can query it for either \(\textsc {Eval}_{\mathsf {ri}}\) or \(\textsc {Chal}_{\mathsf {ri}}\), but not both. \(\mathcal {A}\) wins if she can distinguish game \(\mathsf {RI}_{\mathsf {real}}\) from \(\mathsf {RI}_{\mathsf {rand}}\). For technical reasons the verification tokens are also randomized over when the tags are random. The formal security game can be found in Fig. 2. Interestingly, Lemma 4 can be used to prove the security of LP HIBEs in [30] in a black-box manner. Essentially, Lemma 4 has a similar purpose as the core lemma in [15], namely, to inject randomness.

Fig. 2.
figure 2

Games \(\mathsf {RI}_{\mathsf {real}}\) and that define the security of \(\mathsf {MAC}_{\mathsf {lin}}\). The function \(\mathsf {RF}:\{0,1\}^{\gamma }\rightarrow \mathbb {Z}_q^{k\times 2k}\) is a random function, defined on-the-fly.

Full size image
Fig. 3.
figure 3

Hybrids for the security proof of Lemma 4.

Full size image

Lemma 4

(Randomness Injection Lemma). For all adversaries \(\mathcal {A}\) there exist adversaries \(\mathcal {B}_1\) and \(\mathcal {B}_2\) with

figure bz

and \(T\left( \mathcal {B}_1\right) \approx T\left( \mathcal {B}_2\right) \approx T\left( \mathcal {A}\right) +\left( Q_e+Q_c\right) \cdot \mathsf {poly}\left( \lambda \right) \), where \(Q_e\) resp. \(Q_c\) denotes the number of \(\textsc {Eval}_{\mathsf {ri}}\) resp. \(\textsc {Chal}_{\mathsf {ri}}\) queries of \(\mathcal {A}\) and \(\mathsf {poly}\) is a polynomial independent of \(\mathcal {A}\). \(\mathsf {RI}_{\mathsf {real}}\) and \(\mathsf {RI}_{\mathsf {rand}}\) are defined as in Fig. 2.

We give the overall hybrids used to prove this Lemma in Fig. 3. The proof can be found in the full version.

Fig. 4.
figure 4

Our unbounded affine MAC \(\mathsf {MAC}_{u}\). It uses a CRHF \(\mathcal {H}\) with domain \(\mathcal {S}^{*}\) and range \(\{0,1\}^{\gamma }\). Throughout the scheme, with values generated in \(\mathsf {Gen}_{\mathsf {MAC}}\). The linear MAC components are highlighted in gray.

Full size image

Randomness Packing Lemma. We will use a tight variant of the Lewko-Waters approach [33] to tie these local, linear tags together and move entropy from the local to the global part. Lemma 5 captures this approach.

Lemma 5

(Randomness Packing Lemma). For all adversaries \(\mathcal {A}\) there exist adversaries \(\mathcal {B}_1\) and \(\mathcal {B}_2\) with

figure cb

and \(T\left( \mathcal {B}_1\right) \approx T\left( \mathcal {B}_2\right) \approx T\left( \mathcal {A}\right) +\left( Q_e+Q_c\right) \cdot \mathsf {poly}\left( \lambda \right) \), where \(Q_e\) resp. \(Q_c\) denotes the number of \(\textsc {Eval}_{\mathsf {rp}}\) resp. \(\textsc {Chal}_{\mathsf {rp}}\) queries of \(\mathcal {A}\) and \(\mathsf {poly}\) is a polynomial independent of \(\mathcal {A}\). \(\mathsf {RP}_{\mathsf {real}}\) and \(\mathsf {RP}_{\mathsf {rand}}\) are defined as in Fig. 5.

Proof

The proof uses a hybrid argument with hybrids \(\mathsf {G}_0\) (the \(\mathsf {RP}_{\mathsf {real}}\) game), \(\mathsf {G}_1\), \(\mathsf {G}_2\), and \(\mathsf {G}_3\) (the \(\mathsf {RP}_{\mathsf {rand}}\) game). The hybrids are given in Fig. 6. A summary can be found in Table 2.

Lemma 6

(\(\mathsf {G}_0\rightsquigarrow \mathsf {G}_1\)). For all adversaries \(\mathcal {A}\) there exists an adversary \(\mathcal {B}\) with

and \(T\left( \mathcal {B}\right) \approx T\left( \mathcal {A}\right) +\left( Q_e+Q_c\right) \cdot \mathsf {poly}\left( \lambda \right) \).

figure cc

Proof

The only difference between these two games is, that the \(\textsc {Eval}\) queries pick the vectors \(\tilde{\mathbf {{t}}}\) uniformly random from \(\mathbb {Z}_q^{2k}\) instead of only from . This leads to a straightforward reduction to the \(Q_e\)-fold assumption on .    \(\square \)

Lemma 7

(\(\mathsf {G}_1\rightsquigarrow \mathsf {G}_2\)). For all adversaries \(\mathcal {A}\) there exists an adversary \(\mathcal {B}\) with

and \(T\left( \mathcal {B}\right) \approx T\left( \mathcal {A}\right) +\left( Q_e+Q_c\right) \cdot \mathsf {poly}\left( \lambda \right) \).

figure cg

Proof

In game \(\mathsf {G}_2\) the -part of \(\tilde{\mathbf {{h}}}_{0}\) (for all ) is uniformly random. To switch to this game, pick a \(Q_c\)-fold challenge and use the reduction in Fig. 7.

Assume that is invertible. This happens with probability at least \((1-1/\left( q-1\right) )\). The \(\textsc {Init}\), \(\textsc {Eval}\), and \(\textsc {Finalize}\) oracles are identical in both games. The reduction correctly simulates \(\textsc {Init}\) because the summand cancels out in public key.

To analyze the \(\textsc {Chal}\) queries define where \(\mathbf {{w}}_{c}\) is uniform random in and is \(\mathbf {{0}}\in \mathbb {Z}_q^{k}\) or uniform random in \(\mathbb {Z}_q^{k}\). The reduction defines \(\mathbf {{h}}:=\overline{\mathbf {{f}}_{c}}\), which is a uniform random vector.

The vector \(\tilde{\mathbf {{h}}}_{0}\) is then computed as

If \(\mathbf {{r}}_{c}=\mathbf {{0}}\), the reduction is simulating game \(\mathsf {G}_1\) and if \(\mathbf {{r}}_{c}\) is uniform, the reduction is simulating \(\mathsf {G}_2\).    \(\square \)

Fig. 5.
figure 5

Games \(\mathsf {RP}_{\mathsf {real}}\) and for Lemma 5.

Full size image
Table 2. Summary of the hybrids in Fig. 6. \(\textsc {Eval}_{\mathsf {rp}}\) queries draw \(\tilde{\mathbf {{t}}}\) from the set described by the second column and add a uniform random element from the set \(r_{\tilde{\mathbf {{u}}}}\) to \(\tilde{\mathbf {{u}}}\). The \(\textsc {Chal}_{\mathsf {rp}}\) queries add a uniform random element from \(r_{\tilde{\mathbf {{h}}}_{0}}\) to each \(\tilde{\mathbf {{h}}}_{0}\). The background color indicates repeated transitions.
Full size table

Lemma 8

(\(\mathsf {G}_2\rightsquigarrow \mathsf {G}_3\)). For all adversaries \(\mathcal {A}\) there exists an adversary \(\mathcal {B}\) with

and \(T\left( \mathcal {B}\right) \approx T\left( \mathcal {A}\right) +\left( Q_e+Q_c\right) \cdot \mathsf {poly}\left( \lambda \right) \).

figure ct
Fig. 6.
figure 6

Hybrids for the security proof of Lemma 5.

Full size image

Proof

In game \(\mathsf {G}_3\) the vector \(\tilde{\mathbf {{u}}}\) is chosen uniformly random. For the transition to this game, we need a \(Q_e\)-fold \(\mathcal {U}_{2k,k}\text {-}\mathsf {MDDH}\) challenge. The reduction is given in Fig. 8.

The reduction aborts if the upper or lower \(k\times k\)-submatrix of does not have full rank. This happens only with probability at most \(2/\left( q-1\right) \). Assume in the following, that the reduction does not abort. Furthermore assume \(q>2\).

The way we defined and we get the following three properties:

(3)
(4)
(5)

To see Eq. (5), note that this is equivalent to the column vectors of

being linear independent. Assume there exist with

$$ \mu _{1}\mathbf {{b}}_1+\cdots +\mu _{2k}\mathbf {{b}}_{2k}=\mathbf {{0}}\,.$$

Looking at the first \(k\) entries in each vector and using that has full rank we get

Now looking at the remaining lower \(k\) entries and using that the column vectors of can not be \(\mathbf {{0}}\) (because we already assumed that has full rank) we get that

Fig. 7.
figure 7

Reduction for the transition from \(\mathsf {G}_1\) to \(\mathsf {G}_2\) to the \(Q_c\)-fold challenge .

Full size image
Fig. 8.
figure 8

Reduction for the transition from \(\mathsf {G}_2\) to \(\mathsf {G}_3\) to the \(Q_e\)-fold \(\mathcal {U}_{2k,k}\text {-}\mathsf {MDDH}\) challenge .

Full size image

The \(\textsc {Init}\) oracle is identically distributed in both games and correctly simulated by the reduction, because the cancels out in the public key.

The \(\textsc {Chal}\) oracle is also distributed identically in both games and simulated correctly since the -part of \(\tilde{\mathbf {{h}}}_{0}\) is uniform random. More precisely, is identically distributed to . Thus \(\tilde{\mathbf {{h}}}_{0}\) as computed by the reduction:

is identically distributed to

which is the real \(\tilde{\mathbf {{h}}}_{0}\).

To analyze the \(\textsc {Eval}\) queries, define where \(\mathbf {{w}}_{c}\) is uniform random in and is \(\mathbf {{0}}\in \mathbb {Z}_q^{k}\) or uniform random in \(\mathbb {Z}_q^{k}\). In the \(\textsc {Eval}\) queries the reduction computes \(\tilde{\mathbf {{t}}}\) as , but this is distributed identically to a uniform random vector, because \(\tilde{\mathbf {{s}}}\) and \(\overline{\mathbf {{f}}_{c}}\) are uniform random and are a basis of \(\mathbb {Z}_q^{2k}\) (see Eq. (5)).

The vector \(\tilde{\mathbf {{u}}}\) is computed as

If , the reduction is simulating game \(\mathsf {G}_2\) and if is uniform, the reduction is simulating \(\mathsf {G}_3\).    \(\square \)

figure dq

Summary. To prove Lemma 5, we combine Lemmata 68.    \(\square \)

3.2 An Unbounded Affine MAC

Our next step is to construct an unbounded affine MAC as in Fig. 4. Again, our idea is to divide a hierarchical message into \(p\) pieces (\(1\le i \le p\)) by using a CRHF H. In stark contrast to methods in [29, 30], we generate a MAC tag for each with the same secret key. More precisely, we apply \(\mathsf {MAC}_{\mathsf {lin}}\) on each , and additionally we have a wrapper, namely, \(\tilde{\mathbf {{X}}}_1 \cdot \tilde{\mathbf {{t}}}_i\) to connect all these \(p\) pieces together.

One can show \(\mathsf {MAC}_{u}\) is a secure MAC according to the (standard) UF-CMA security (cf. the full version). Our \(\mathsf {MAC}_{u}\) has stronger security which is formally stated in Theorem 1.Footnote 4 It is not a standard security for a MAC scheme, but it is exactly what we need for the transformation to unbounded HIBE. As in the security game for linear MACs, values in \(\mathsf {dk}_{1}\) and \(\mathsf {dk}_{2}\) can be used to rerandomize tags (cf. Remark 1). Oracle \(\textsc {Eval}\) is available to an adversary \(\mathcal {A}\) for a tag on any message of her choice. Moreover, oracle \(\textsc {Chal}\) provides \(\mathcal {A}\) necessary values to check validity of a tag. She can query these two oracles arbitrary many times in an adaptive manner. In the end, \(\mathcal {A}\) needs to distinguish during the experiment \(\textsc {Chal}\) always gives her the real values or the random ones. Of course, we exclude the case where \(\mathcal {A}\) trivially wins by asking \(\textsc {Eval}\) for any prefix of a challenge message \(\mathsf {m}^{\star }\). The formal security game can be found in Fig. 9.

Fig. 9.
figure 9

Games \(\mathsf {uMAC}_{\mathsf {real}}\) and for defining security for \(\mathsf {MAC}_{u}\).

Full size image

Remark 1

(Delegation). The tags of \(\mathsf {MAC}_{u}\) are delegatable in the following sense: Given a tag \(\tau =\left( \left( \left[ \mathbf {{t}}_{i}\right] _2,\left[ \tilde{\mathbf {{t}}}\right] _2,\left[ \mathbf {{u}}_{i}\right] _2\right) _{1\le i\le p},\left[ \tilde{\mathbf {{u}}}\right] _2\right) \) for a message , one can compute a fresh tag \(\tau ''\) for a message for arbitrary \(\mathsf {m}_{p+1}\in \mathcal {S}\) using only the “public key” returned from the \(\textsc {Init}_{\mathsf {MAC}}\) oracle in the \(\mathsf {uMAC}_{\mathsf {real}}\) game. We call the tag \(\tau ''\) fresh, because its distribution is independent of \(\tau \).

First, we define the tag \(\tau '\) for \(\mathsf {m}'\) as \(\tau ':=\left( \left( \left[ \mathbf {{t}}_{i}'\right] _2,\left[ \tilde{\mathbf {{t}}}'\right] _2,\left[ \mathbf {{u}}_{i}'\right] _2\right) _{1\le i\le p+1},\left[ \tilde{\mathbf {{u}}}'\right] _2\right) \). This tag is identical to \(\tau \) on the first \(p\) levels, i.e., for all we define \(\mathbf {{t}}_{i}':=\mathbf {{t}}_{i}\), \(\tilde{\mathbf {{t}}}':=\tilde{\mathbf {{t}}}\) and \(\mathbf {{u}}_{i}':=\mathbf {{u}}_{i}\). Furthermore we define \(\mathbf {{t}}_{p+1}':=\mathbf {{0}}\), \(\tilde{\mathbf {{t}}}':=\mathbf {{0}}\), \(\mathbf {{u}}_{p+1}'=\mathbf {{0}}\) and \(\tilde{\mathbf {{u}}}':=\tilde{\mathbf {{u}}}\). The resulting tag \(\tau \) is indeed a valid tag for \(\mathsf {m}'\), but it is not fresh.

To get a fresh tag \(\tau '':=\left( \left( \left[ \mathbf {{t}}_{i}''\right] _2,\left[ \tilde{\mathbf {{t}}}''\right] _2,\left[ \mathbf {{u}}_{i}''\right] _2\right) _{1\le i\le p+1},\left[ \tilde{\mathbf {{u}}}''\right] _2\right) \), we rerandomize the tag \(\tau '\). That is, for all we define and for uniform random and . Moreover, we adapt \(\mathbf {{u}}_{i}\) and \(\tilde{\mathbf {{u}}}\) to the new \(\mathbf {{t}}_{i}''\) and \(\tilde{\mathbf {{t}}}_i''\) in the following way:

figure ee

Theorem 1

(Security of \(\mathsf {MAC}_{u}\)). \(\mathsf {MAC}_{u}\) is tightly secure under the \(\mathcal {U}_{k}\text {-}\mathsf {MDDH}\) assumption for \(\mathbb {G}_1\), the \(\mathcal {U}_{k}\text {-}\mathsf {MDDH}\) assumption for \(\mathbb {G}_2\) and the collision resistance of \(\mathcal {H}\). More precisely, for all adversaries \(\mathcal {A}\) there exist adversaries \(\mathcal {B}_1\), \(\mathcal {B}_2\) and \(\mathcal {B}_3\) with

figure ef

and \(T\left( \mathcal {B}_1\right) \approx T\left( \mathcal {B}_2\right) \approx T\left( \mathcal {B}_3\right) \approx T\left( \mathcal {A}\right) +\left( Q_e+Q_c\right) L\cdot \mathsf {poly}\left( \lambda \right) \), where \(Q_e\) resp. \(Q_c\) denotes the number of \(\textsc {Eval}\) resp. \(\textsc {Chal}\) queries of \(\mathcal {A}\), \(L\) denotes the maximum length of the messages for which the adversary queried a tag or a challenge, and \(\mathsf {poly}\) is a polynomial independent of \(\mathcal {A}\).

Proof

The proof uses a hybrid argument with hybrids \(\mathsf {G}_0\)\(\mathsf {G}_5\), where \(\mathsf {G}_0\) is the \(\mathsf {uMAC}_{\mathsf {real}}\) game. The hybrids are given in Fig. 10. They make use of the random function , defined on-the-fly.

Fig. 10.
figure 10

Hybrids \(\mathsf {G}_0\)\(\mathsf {G}_5\) for the security proof of \(\mathsf {MAC}_{u}\). The algorithm \({\mathsf {RerandTag}}\) is only helper function and not an oracle for the adversary. The partial map is initially totally undefined.

Full size image

Lemma 9

(\(\mathsf {G}_0\rightsquigarrow \mathsf {G}_1\)).

figure ei

Proof

In game \(\mathsf {G}_1\) each time the adversary queries a tag for a message \(\mathsf {m}\), where she queried a tag for \(\mathsf {m}\) before, the adversary will get a rerandomized version of the first tag she queried. The \({\mathsf {RerandTag}}\) algorithm chooses and , which is uniformly random in resp. , independent of \(\mathbf {{t}}_{i}\) and \(\tilde{\mathbf {{t}}}\), because \(\mathbf {{s}}_{i}'\) and \(\tilde{\mathbf {{s}}}'\) are uniform random in \(\mathbb {Z}_q^{k}\). The \({\mathsf {RerandTag}}\) algorithm then computes \(\mathbf {{u}}_{i}'\) and \(\tilde{\mathbf {{u}}}'\) such to get another valid tag for \(\mathsf {m}\), that is distributed like a fresh tag, independent of the input tag. Thus the games are equivalent.

Note that the rerandomization uses only the “public key” returned by the \(\textsc {Init}\) oracle so that it could be carried out by the adversary herself. In the following, we will ignore these duplicated \(\textsc {Eval}\) queries.    \(\square \)

Lemma 10

(\(\mathsf {G}_1\rightsquigarrow \mathsf {G}_2\)). For all adversaries \(\mathcal {A}\) there exist adversaries \(\mathcal {B}_1\) and \(\mathcal {B}_2\) with

and \(T\left( \mathcal {B}\right) \approx T\left( \mathcal {A}\right) +\left( Q_e+Q_c\right) L\cdot \mathsf {poly}\left( \lambda \right) \).

figure en

Proof

Compared to \(\mathsf {G}_1\), the hybrid \(\mathsf {G}_2\) aborts if two different messages, for which the adversary queried a tag, have the same hash value. Furthermore, in \(\mathsf {G}_2\) the adversary looses (i.e., the output of \(\textsc {Finalize}_{\mathsf {MAC}}\) is always 0), if the hash of a prefix of a message sent to the \(\textsc {Chal}\) oracle is identical to the hash of a message send to the \(\textsc {Eval}\) oracle. So the two games are identical, except when a hash function collision occurs.   \(\square \)

Fig. 11.
figure 11

Reduction for the transition from \(\mathsf {G}_2\) to \(\mathsf {G}_3\) to the Randomness Injection Lemma.

Full size image

Lemma 11

(\(\mathsf {G}_2\rightsquigarrow \mathsf {G}_3\)). For all adversaries \(\mathcal {A}\) there exists an adversary \(\mathcal {B}\) with

and \(T\left( \mathcal {B}\right) \approx T\left( \mathcal {A}\right) +\left( Q_e+Q_c\right) L\cdot \mathsf {poly}\left( \lambda \right) \).

figure eo

Proof

In game \(\mathsf {G}_3\) the value \(\mathbf {{u}}_{p}\) is chosen uniformly random (and some side-effect changes are made). For the transition to this game, we use the security of the underlying linear MAC. The reduction is given in Fig. 11.

We use the Randomness Injection Lemma to compute the components \(\mathbf {{h}}\) and \(\mathbf {{h}}_{0,i}\) for all levels i in the \(\textsc {Chal}\) oracle and to compute \(\mathbf {{t}}_{p}\) and \(\mathbf {{u}}_{p}'\), i.e. the last-level components of the tags. For the other components, we use the public key returned from \(\textsc {Init}_{\mathsf {ri}}\). This is important to avoid asking both the \(\textsc {Eval}_{\mathsf {ri}}\) and \(\textsc {Chal}_{\mathsf {ri}}\) oracles on common prefixes of \(\textsc {Eval}_{\mathsf {ri}}\)-messages and \(\textsc {Chal}_{\mathsf {ri}}\)-messages.

If the reduction is accessing the \(\mathsf {RI}_{\mathsf {real}}\) game, it simulates \(\mathsf {G}_2\). Otherwise, it simulates \(\mathsf {G}_3\).   \(\square \)

Lemma 12

(\(\mathsf {G}_3\rightsquigarrow \mathsf {G}_4\)). For all adversaries \(\mathcal {A}\) there exists an adversary \(\mathcal {B}\) with

and \(T\left( \mathcal {B}\right) \approx T\left( \mathcal {A}\right) +\left( Q_e+Q_c\right) L\cdot \mathsf {poly}\left( \lambda \right) \).

figure ep
Fig. 12.
figure 12

Reduction for the transition from \(\mathsf {G}_3\) to \(\mathsf {G}_4\) to the Randomness Packing Lemma.

Full size image

Proof

In game \(\mathsf {G}_4\) the value \(\tilde{\mathbf {{u}}}\) is chosen uniformly random (and some side-effect changes are made). For the transition to this game, we use the Randomness Packing Lemma (Lemma 5). The reduction is given in Fig. 12.

We use the Randomness Packing Lemma to compute the components \(\mathbf {{h}}\) and \(\tilde{\mathbf {{h}}}_{0}\) for all levels i in the \(\textsc {Chal}\) oracle and to compute \(\tilde{\mathbf {{t}}}\) and \(\tilde{\mathbf {{u}}}'\). Everything else can be computed with the delegation key returned from \(\textsc {Init}_{\mathsf {rp}}\).

If the reduction is accessing the \(\mathsf {RP}_{\mathsf {real}}\) game, it simulates \(\mathsf {G}_3\). Otherwise, it simulates \(\mathsf {G}_4\).    \(\square \)

Fig. 13.
figure 13

Reduction for the transition from \(\mathsf {G}_4\) to \(\mathsf {G}_5\) to the \(Q_c\)-fold \(\mathcal {U}_{k}\text {-}\mathsf {MDDH}\) challenge .

Full size image

Lemma 13

(\(\mathsf {G}_4\rightsquigarrow \mathsf {G}_5\)). For all adversaries \(\mathcal {A}\) there exists an adversary \(\mathcal {B}\) with

and \(T\left( \mathcal {B}\right) \approx T\left( \mathcal {A}\right) +\left( Q_e+Q_c\right) L\cdot \mathsf {poly}\left( \lambda \right) \).

figure er

Proof

In game \(\mathsf {G}_5\) the value \(h_K\) is chosen uniformly random. For the transition to this game, we need a \(Q_c\)-fold \(\mathcal {U}_{k}\text {-}\mathsf {MDDH}\) challenge . The reduction is given in Fig. 13.

Assume that is invertible. This happens with probability at least \((1-1/\left( q-1\right) )\). The \(\textsc {Init}\) and \(\textsc {Eval}\) oracles are identical in both games and simulated correctly by the reduction, because they do not return anything depending on \(\mathbf {{x}}'\). Write where \(\mathbf {{w}}_{c}\) is uniform random in \(\mathbb {Z}_q^{k}\) and is 0 or uniform random in \(\mathbb {Z}_q\). In the \(\textsc {Chal}\) queries the reduction picks \(\tilde{\mathbf {{h}}}:=\overline{\mathbf {{f}}_{c}}\). Since \(\overline{\mathbf {{f}}_{c}}\) is a uniform random vector, \(\tilde{\mathbf {{h}}}\) is distributed correctly. Furthermore, \(h_K\) is computed as

If , we are simulating game \(\mathsf {G}_4\). If is uniform random we are simulating game \(\mathsf {G}_5\).    \(\square \)

Summary. To prove Theorem 1, we combine Lemmata 913 to change \(h_K\) from real to random and then apply all Lemmata (except Lemma 13) in reverse order to get to the \(\mathsf {uMAC}_{\mathsf {rand}}\) game.    \(\square \)

4 Transformation to Unbounded HIBE

Our unbounded affine MAC can be tightly transformed to an unbounded HIBE under the \(\mathcal {U}_{k}\text {-}\mathsf {MDDH}\) assumption in \(\mathbb {G}_1\). The transformation follows the same idea as [6]. It can be found in the full version.

The unbounded HIBE obtained from our unbounded affine MAC can be instantiated with any MDDH assumption. The result for the \(\mathsf {SXDH}\) assumption can be found in Fig. 14.

Fig. 14.
figure 14

The scheme obtained from \(\mathsf {MAC}_{u}\) instantiated with the \(\mathsf {SXDH}\) assumption.

Full size image