Anonymity from Asymmetry:New Constructions for Anonymous HIBE

Leo Ducas

Ecole Normale Superieure, Paris — leo.ducas@ens.fr

Abstract. A Hierarchical Identity Based Encryption (HIBE) system isanonymous if the ciphertext reveals no information about the recipi-ent’s identity. create it. While there are multiple constructions for secureHIBE, far fewer constructions exist for anonymous HIBE. In this paperwe show how to use asymmetric pairings to convert a large family of IBEand HIBE constructions into anonymous IBE and HIBE systems. We alsoobtain a delegatable-HVE which is a generalization of anonymous HIBE.

Keywords: Anonymity, Identity Based Encryption, HIBE, delegatableHidden Vector Encryption

1 Introduction

In an Identity Based Encryption system (IBE) [Sha85,BF03] any string can func-tion as a public key. A master secret is used to generate private keys for anypublic-key of interest. An extension of IBE, called Hierarchical-IBE [HL02,GS02],allows for a hierarchy of identities where any path from the root to a node canfunction as a public-key. An IBE or HIBE is said to be recipient anonymous orsimply anonymous if the ciphertext leaks no information about the recipient’sidentity. Both anonymous IBE and HIBE are building blocks for encryption sys-tems supporting searching on encrypted data [BCOP04,ABC+05,SBC+07,BW07].

While there are several approaches to constructing an IBE using bilinearmaps [BF03], most constructions in the standard model are not recipient anony-mous [CHK03,BB04,Wat05,BBG05] — there is a simple attack that can tell if agiven ciphertext is encrypted for a specific identity (the system in [Gen06] is anexception). Oddly, by changing the type of pairing used, the anonymity attackgoes away. In particular, if one uses an asymmetric pairing e : G× G → Gt (asdiscussed in the next section) then it is no longer known how to break anonymityof the systems in [BB04,Wat05,BBG05]. However, it is not known how to proveanonymous security of these systems from simple assumptions.

In this paper we resolve this issue and show that a small tweak to the sys-tems in [BB04,Wat05,BBG05] can make them provably anonymous when usingasymmetric pairings. All our proofs are set in the standard model (i.e. withoutrelying on random oracles). In addition to hiding the recipient’s identity, cipher-texts in our system also hide the public parameters under which the ciphertextwas created.

We are certainly not the first to construct an anonymous IBE or HIBE with-out random oracles. Boyen and Waters [BW06] gave the first construction basedon the decision linear assumption. Other anonymous IBE systems were presentedin [Gen06,BW07,IP08,SW08]. Our IBE system is a little simpler than [BW06]and relies on a weaker assumption than [Gen06]. A more substantial advantagecomes up in our HIBE.

The HIBE case. Consider a hierarchy of depth `. The anonymous HIBE systemin [BW06] generates secret keys of size proportional to `2 and ciphertext ofsize proportional to `. Our system, which is derived from [BBG05], has secretkeys of size O(`) and constant size ciphertext. As in [BBG05], security relieson a complexity assumption whose size is proportional to `. We note that veryrecently Shi and Waters [SW08] used composite order groups to construct anHIBE where private key size is O(`) and ciphertext size linear in `. Seo et al.in [SKOS09] also used composite order groups to construct a compact anonymousHIBE, with constant size ciphertext and linear size private keys. Ciphertexts inour system are considerably shorter.

We note that our construction also gives a delegatable-HVE [BW07,SW08],which is a generalization of anonymous HIBE. We present the system in Sec-tion 5.1.

2 Anonymous IBE and HIBE: definitions

We briefly review the definition of anonymous IBE and HIBE. A more detaileddefinition can be found in [ABC+05]. In this paper we only consider CPA attacks,and define both the selective-ID and adaptive-ID security games.

A public-key in an HIBE is a vector ID = (I1, . . . , Ik) representing an identityat depth k of the hierarchy. We use ` to denote the maximum hierarchy depth.The case ` = 1 is an IBE. An HIBE system consists of five algorithms: Setupto generate public parameters PP and a master secret mk; Extract to generatea secret key for an identity ID using the master key; Derive to generate a secretfor an identity ID = (I1, . . . , Ik) given a secret key for ID = (I1, . . . , Ik−1); andEncrypt and Decrypt to encrypt and decrypt messages for identity ID.

We use Cλ,` to denote the finite set of all possible ciphertexts for a givensecurity parameters λ and maximum hierarchy depth `.

The following security games capture both semantic security and recipientanonymity properties of the system. We begin with the selective-ID game be-tween a challenger and adversary A. Both are given the security parameter λ asinput. For b = 0, 1 game Γ (b)(λ) is defined as follows:

– Initialization: The adversary sends to the challenger (`, ID∗) where ` > 0 isthe maximal hierarchy depth ` and ID∗ = (I∗1 , . . . , I

∗k) is an identity that

A intends to attack (where k ≤ `). When defining IBE security we require` = 1.

– Setup: The challenger runs Setup(λ, `) and sends PP to A.

– Phase 1: A issues up to qS private key queries where no query is a prefix ofID∗. The challenger responds to the ith query IDi by sending A the outputof Extract(mk, IDi).

– Challenge: A outputs a message m∗. The challenger responds by choosinga random ciphertext c R← Cλ,` and sending c∗ to the challenger, where c∗ isdefined as

c∗ ←

{Encrypt(PP, ID∗,m∗) if b = 0 (game Γ (0))c if b = 1 (game Γ (1))

– Phase 2: the adversary continues to issue private-key queries subject to thesame restriction as in phase 1.

– Guess: finally, A outputs a guess b′ ∈ {0, 1} for b.

For b = 0, 1 let Wb be the event that b = b′ in Game Γ (b) and define A’sadvantage as

AdvaIND-sIDCPA(λ) :=∣∣Pr[W0]− Pr[W1]

∣∣.Definition 1. We say that an HIBE system is selective-ID anonymous if forall PPT A we have that AdvaIND-sIDCPA(λ) is a negligible function of λ.

Note that our definition of anonymity is a little stronger than usual [ABC+05].We require that an encryption of m∗ for ID∗ under PP is indistinguishable froma random ciphertext in Cλ,`. Consequently, not only does the ciphertext hide m∗

and ID∗, it also hides PP. Moreover, our definition implies that ciphertext lengthmust be independent of the depth of ID∗ in the hierarchy.

As usual, to define full-IBE security one modifies the game to allow theadversary to specify ID∗ in the challenge step instead of at initialization.

3 Complexity Assumptions

3.1 Asymmetric pairings

Let p be a prime and let G, G, and Gt be groups of order p. An asymmetricpairing is a map e : G× G→ Gt that is bilinear, non-degenerate, and efficientlycomputable. The term asymmetric refers to the fact that the groups G and Gneed not be the same.

It is well known that when G = G then the Decision Diffie-Hellman prob-lem in G is easy [Jou00]. However, when G and G are distinct and there isno efficiently computable map from G to G then Decision Diffie-Hellman inG can still be hard. This is partially the reason why the anonymity attackson [BB04,Wat05,BBG05] do not seem to apply when using an asymmetric pair-ing.

The assumption that DDH is hard in G is sometimes called the XDH assump-tion. This assumption and its variants have been used in [Sco02,CHL05,ACd05,BKM05].In Sections 3.2 and 3.3 we state the specific assumptions we will use.

3.2 The Bilinear Diffie-Hellman Assumption

The BDH problem for a symmetric pairing e : G × G → Gt is stated as fol-lows [Jou00,BF03]:

Given a tuple (g, ga, gb, gc) ∈ G4 as input, output e(g, g)abc ∈ Gt.

We extend the BDH problem to asymmetric bilinear groups by giving (g, ga, gc, g, ga, gb) ∈G3 × G3 as input and asking for e(g, g)abc ∈ Gt.

Asymmetric Decision BDH. Consider the following two distributions: For g ∈G, g ∈ G, a, b, c ∈ Zp, and T ∈ Gt chosen uniformly at random, define:

– PBDH :=(g , ga , gc , g , ga , gb , e(g, g)abc

)∈ G3 × G3 ×Gt

– RBDH :=(g , ga , gc , g , ga , gb , T

)∈ G3 × G3 ×Gt

For an algorithm A we let AdvD-BDHA be the advantage of A is distinguishing

these two distributions. That is,

AdvD-BDHA =

∣∣Pr[A(D) = 1]− Pr[A(R) = 1]∣∣

where D is sampled from PBDH and R is sampled from RBDH .We say that an algorithm B that outputs a bit in {0, 1} has advantage

AdvD-BDHB = ε in solving the Decision-BDH problem in (G, G) if∣∣Pr[B(g , ga, gc, g , ga, gb, e(g, g)abc

)= 0]− Pr

[B(g , ga, gc, g , ga, gb, T

)= 0]∣∣ ≥ ε

where the probability is over the random choice of generator g ∈ G and g ∈ G,exponents a, b, c in Zp, T ∈ Gt, and the random bits used by B.

As usual, to state the assumption asymptotically we rely on a bilinear groupgenerator G that takes a security parameter λ as input and outputs the descrip-tion of a bilinear group.

Definition 2. Let G be a bilinear group generator. We say that the DecisionBDH holds for G if, for all PPT algorithms A, the function AdvD-BDH

A (λ) is anegligible function of λ.

3.3 Additional Assumptions

To prove the anonymity property of our systems, we will need a slightly strongerassumption. Consider the following two distributions: For g ∈ G, g ∈ G, a, b, c ∈Zp, and T ∈ G chosen uniformly at random, define:

– DN :=(g , ga , gab, gc , g , ga , gb , gabc

)∈ G4 × G3 ×G

– DR :=(g , ga , gab, gc , g , ga , gb , T

)∈ G4 × G3 ×G

For an algorithm A we let AdvP-BDHA be the advantage of A is distinguishing

these two distributions.

Definition 3. Let G be a bilinear group generator. We say that the DecisionP-BDH holds for G if, for all PPT algorithms A, the function AdvP-BDH

A (λ) isa negligible function of λ.

3.4 Discussion about the assumptions

Intuitively, the Decision P-BDH assumption is a combination of the DecisionBDH-assumption used by the BB1 HIBE system, and the XDH-assumption (stat-ing that Decision Diffie-Hellman problem is hard in one of the groups despite theexistence of the pairing). Indeed, the Decision P-BDH assumption implies bothassumptions via the following simple reductions: A Decision P-BDH instance(g , ga , gab, gc , g , ga , gb , T

)can be solved using :

– a Decision BDH adversary A: run A(g , ga , gc , g , ga , gb , e(T, g)

);

– a Decision DH adversary A: run A(g , gab , gc , T

).

The existence of an efficiently computable homomorphism from G to G doesnot contradict with our assumption, but is not required either for the construc-tion nor the security proof. Thus, the bilinear group of our system may beinstantiated by either type 2 or type 3 pairing on elliptic curves, as definedin [GPS06].

4 An Efficient Anonymous IBE

We first construct an IBE system that is anonymous under the P-BDH assump-tion in asymmetric bilinear groups.

4.1 IBE Construction

We are given a bilinear map e : G × G → Gt over a bilinear group pair (G, G)of prime order p, with respective generators g ∈ G∗ and g ∈ G∗. The size of p isdetermined by the security parameter.Our IBE system works as follows:

Setup: To generate system parameters for an IBE, given bilinear groups (G, G)with generators (g, g), the setup algorithm first selects a random (α, β, γ, δ, η) ∈Zp5, and sets : g1 = gα, g2 = gβ , h = gγ , f = gδ, t = gη, and their analogues: g1 = gα, g2 = gβ , h = gγ , f = gδ, t = gη. The public parameters PP andthe master secret mk are given by

PP =(g, g1, h, f, t, g, g2, h

)∈ G5 × G3

mk =(g0 = gαβ , f , t) ∈ G3

Extract(mk, ID): To extract a private key dID for an identity ID = I ∈ Z∗p theauthority holding the master key picks random r,R ∈ Zp and outputs

dID =(g0 (hI f)r tR, gr, gR

)∈ G3

Encrypt(PP, ID,M): To encrypt a message M ∈ Gt under the public key ID =I ∈ Z∗p, pick a random s ∈ Zp and output

C =(M · e(g1, g2)s, gs, (hI f)s, ts

)∈ Gt ×G3

Decrypt(dID, C): To decrypt a given ciphertext C = (A,B,C1, Z) ∈ Gt × G3

using the private key dID = (d0, d1, d2) ∈ G3, output

A · e(C1, d1) · e(Z, d2)/e(B, d0) ∈ Gt

The system in consistent. Indeed, for a valid ciphertext encrypted under theidentity ID = I to which the private key dID belongs, we have

A · e(C1, d1) · e(Z, d2)e(B, d0)

= A · e(hI f, g)sr · e(t, g)sR

e(g, g0)s · e(g, hI f)sr · e(g, t)sR= A · 1

e(g1, g2)s= M

The system is closely related to the BB1 IBE system from [BB04]. The onlydifference is the additional element ts in the ciphertext and the additional blind-ing value tR in the private key.

4.2 Security Reduction

The following theorem proves security of our system under the Decision P-BDHassumption.

Theorem 1 (IBE security). Our IBE is selective-ID anonymous assumingthe Decision P-BDH assumption holds for the bilinear group generator G. Inparticular, for all PPT algorithms B, the function AdvaIND-sIDCPA

B (λ) is a negli-gible function of λ.

The proof proceeds by a hybrid argument across a number of games. LetCT = (A,B,C1, Z) ∈ Gt × G3 denote the challenge ciphertext given to theadversary during a real attack (game Γ (0) in Definition 1). Additionally, let Rbe a random element of Gt and R′, R1 be random elements of G. We definethe following hybrid experiments, which differ in how the challenge ciphertext isgenerated:

– Game Γ : The challenge ciphertext is CT = (A ,B ,C1 , Z )– Game Γ ′ : The challenge ciphertext is CT′ = (R ,B ,C1 , Z )– Game Γ0 : The challenge ciphertext is CT0 = (R ,B ,C1 , R

′ )– Game Γ1 : The challenge ciphertext is CT1 = (R ,B ,R1 , R

′ )

Game Γ is the same as game Γ (0) in Definition 1. Game Γ1 is the same asgame Γ (1) in Definition 1, where the adversary is given a random ciphertext.Therefore,

AdvaIND-sIDCPAB ≤

∣∣Pr[AΓ = 0

]− Pr

[AΓ1 = 0

]∣∣ .To prove that Γ is indistinguishable from Γ1 we prove that each step of thehybrid is indistinguishable from the next. We do so in a sequence of lemmaswhose proofs are given in the Appendix A.

Lemma 1 (semantic security). Let A be an adversary playing the aIND-sIDCPAattack game. Then, there exist an algorithm B solving the Decision P-BDH prob-lem such that : ∣∣∣Pr

[AΓ = 0

]− Pr

[AΓ

′= 0]∣∣∣ ≤ AdvP-BDH

B

This proof is just the adaptation of the original BB1 security proof. Thelemma is stated using decision P-BDH problem, but, the proof is using decisionBDH problem, which is a weaker assumption.

Lemma 2 (anonymity, part 1). Let A be an adversary playing the aIND-sIDCPAattack game. Then, there exist an algorithm B solving the Decision P-BDH prob-lem such that : ∣∣∣Pr

[AΓ

′= 0]− Pr

[AΓ0 = 0

]∣∣∣ ≤ AdvP-BDHB

Lemma 3 (anonymity, part 2). Let A be an adversary playing the aIND-sIDCPAattack game. Then, there exist an algorithm B solving the Decision P-BDH prob-lem such that : ∣∣Pr

[AΓ0 = 0

]− Pr

[AΓ1 = 0

]∣∣ ≤ AdvP-BDHB

Thus, if there is no algorithm B that solve P-BDH problem with an advantagebetter than ε, then, for all adversary A :∣∣Pr

[AΓ = 0

]− Pr

[AΓ1 = 0

]∣∣ ≤ ∣∣∣Pr[AΓ = 0

]− Pr

[AΓ ′ = 0

]∣∣∣+∣∣∣Pr[AΓ ′ = 0

]− Pr

[AΓ0 = 0

]∣∣∣+∣∣Pr[AΓ0 = 0

]− Pr

[AΓ1 = 0

]∣∣≤ 3 ε

Full IBE security. We proved that our system is anonymous under a CPA andselective-ID attacks. It can be made fully secure using known tools.

First, to make the system chosen ciphertext secure one can use the results ofCanetti et al. [CHK04,BCHK07]. To construct an anonymous chosen-ciphertextsecure IBE we need a 2-level HIBE where the first level is anonymous, but thesecond need not be. Following the BB1 HIBE construction, we can build a 2-levelHIBE which is anonymous relative to the first level, but not the second. We thusobtain an anonymous chosen ciphertext secure IBE.

Second, to obtain full security against adaptive attacks (rather than selectivesecurity), one can use random oracles or inefficient reductions. It is also possibleto apply the technique of Waters [Wat05] to our system to obtain an anonymousfully secure IBE without random oracles.

HIBE. The original BB1 system extends to an HIBE by expanding f to a vectorf1, . . . , f`, one fi per level of the hierarchy. Unfortunately, we cannot use thesame method to extend our IBE to an anonymous HIBE. The problem is thatto enable key delegation, we must include the values f2, . . . , f` in private keys.But providing these values breaks anonymity for all levels except the first one.A different approach is needed to extend our anonymous IBE to an anonymousHIBE. We develop this in the next section.

5 Anonymous Hierarchical IBE and delegetable HVE

As before, we assume a bilinear group G and a map e : G× G → Gt, where G,G and Gt have prime order p.

To extend our anonymous IBE to an anonymous HIBE we add fi terms tothe private keys to enable key delegation, but we blind them so as not to breakanonymity. We can then build an anonymous HIBE under the same compactassumption as before, but the private key size now becomes quadratic in thedepth of the hierarchy. A similar problem was encountered in [BW06].

Another approach to making BB1 a (non-anonymous) HIBE was proposedin [BBG05]. The construction uses a stronger assumption, but provides constantsize ciphertext, and constant pairing steps during decryption. Using this con-struction, we can extend the anonymous IBE of the previous section to a veryefficient anonymous HIBE with short ciphertext, fast decryption, and linear sizeprivate keys.

The two approaches we outlined above (linear keys with a strong assumptionand quadratic keys with a compact assumption) can be done simultaneouslyto obtain a hybrid anonymous HIBE with good performance and relying on asemi-compact assumption. This system is described in the Appendix C, and wediscuss several instantiations of this general construction in Section 5.3.

From anonymous HIBE to delegatable HVE. A delegatable Hidden Vector En-cryption system (dHVE) [BW07,SW08] can be viewed as an extension of anony-mous HIBE. Messages in a dHVE of depth ` are encrypted depending on a prop-erty vector v ∈ S`. We define tokens as being vectors in S∗`, with S∗ = S ∪ {∗},the ∗ symbol being used as a wildcard. We also set a partial order on thosetokens : v ≥ w iff ∀1 ≤ i ≤ l, vi = wi ∨ vi = ∗.

A master authority provide public parameters PP allowing anyone to encryptwith any property vector v ∈ S`. With its master key mk, this authority mustalso be able to extract keys for any token w ∈ S∗`. Knowing a key k for token wshould allow one to decrypt all messages encoded with property vectors v ≤ w,otherwise no information should be leaked about the message m or the propertyvector v used to encrypt it. Furthermore, anyone with a key k for a token wshould be able to delegate keys for any vectors w′ ≤ w. We refer to [SW08] forthe definition of security.

Any anonymous HIBE is also a dHVE where property vectors are used asidentities and we only require keys for vectors of the form w = (v1, . . . , vk, ∗ , . . . , ∗)

with v1 . . . vk 6= ∗. To encrypt for an identity of depth k < `, the encryptor padsthe property vector with random values of S (or with a special token in S thatis not used in identity vectors).

Unfortunately, the construction from [BBG05] doesn’t give efficient way todecrypt messages without knowing the exact identity of the recipient, even witha private key for a higher identity in the hierarchy. Thus, our anonymizing tweakon this system doesn’t lead to a proper dHVE.

5.1 A delegatable HVE

Our system uses the property set S = Z∗p and encode the wildcard ∗ by 0 ∈ Zp.

Convention and reindexation. For a token w, we note Sw (resp Sw) the subsetof indexes such that wi 6= ∗ (resp wi = ∗), and kw denotes |Sw|. Keys will beseen as matrices of size (l + 2)× (kw + 2), indexed the following way :

0 s1 · · · skw −1

−1 · · · · · · ·0 · · · · · · ·1 · · · · · · ·...

......

......

` · · · · · · ·

where s1 . . . skw are the naturally ordered elements of Sw. But for readability,we can always consider for a given w that Sw = 1 . . . kw, by reordering rows andcolumns of the considered matrices. With this new indexation, row −1 will becalled the decryption part (of the key), rows 0 . . . kw the rerandomization part,and rows (kw + 1) . . . ` the delegation part.

Linear algebra notation. The description of our system is greatly simplified bythe use of notation from linear algebra. We will be using vectors and matriceswhose components are elements in the groups G or G. The sum of two suchmatrices is defined by doing a cell by cell group product. We define the productof a vector x = (x1 . . . xn) in (Zp)n with a vector g = (g1 . . . gn) of Gn by :

(x1 . . . xn) · (g1 . . . gn) =n∏i=1

gxii ∈ G

This definition extends naturally to the product of matrices over Zp by matricesover G. When we write those products, we will always place the matrices over Gon the right. Vector will be written in bold, and if v is a vector, then vi is its ith

component of v, and v|S is the restriction of v to its components of index in S :[vi]i∈S (in the natural order). We will also use the plus sign over group matrices: A + B corresponds the component by component group product. Last, when

writing block matrices, Id refers to the square identity matrix of the neededdimension.

Using this notation, we can now describe the delegatable HVE system asfollows.

Setup(`): To generate system parameters for a dHVE of depth `, given bilin-ear groups (G, G) with generators (g, g), the setup algorithm first selects arandoms α, β, γ, η ∈ Zp, δ ∈ (Zp)`, and set : g1 = gα, g2 = gβ , h = gγ ,f = δ · (g), t = gη, and their analogues : g1 = gα, g2 = gβ , h = gγ , f = δ · (g),t = gη. The public parameters PP and the master secret mk are :

PP =(g, g1, h, f , t, g, g2, h

)∈ G4+l×G3 , mk = (g0 = gαβ , f , t) ∈ G2+l

Extract(mk,w): We first suppose, using reindexation if necessary, that w isof the form (w1 , . . . ,wk, ∗ , . . . , ∗). To generate private key dw, output thematrix :

dw =

ddecw

drerw

ddelw

=

1 R1 00 R2 00 R3 Id

·Mw =

Mdecw +R1 ·M rer

w

R2 ·M rerw

Mdelw +R3 ·M rer

w

∈ G(l+2)×(2+kw)

where R1 ∈ (Zp)1×(k+1), R2 ∈ (Zp)(k+1)×(k+1), and R3 ∈ (Zp)(`−k)×(k+1)

are random matrices, and

Mw =

Mdecw

M rerw

Mdelw

=

g0

t g

hw1 f1 g...

. . .hwk fk g

fk+1

...f`

In this matrix blanks correspond to cells containing the group identity g0.Unrolling the definition, and without reindexation we thus have :

ddecw =

(g0 (r-1 · (w · h+ f)|Sw

) tR-1 , r-1 · (g) , gR-1)

∈ G1×(2+kw)

drerw =

[(rj · (w · h+ f)|Sw

) tRj , rj · (g) , gRj]j∈Sw∪{0}

∈ G(1+kw)×(2+kw)

ddelw =

[fj (rj · (w · h+ f)|Sw

) tRj , rj · (g) , gRj]j∈Sw

∈ G(`−kw)×(2+kw)

for random R-1 . . . Ru in Zp and r-1 . . . r` in (Zp)kw .The idea behind this definition of ddel

w is to embed the fi needed for delegationin the private key, but blinded in a way that maintains their utility.

Rerand(w, dw): We present a helper algorithm that will be useful for key del-egation.If we have one valid key dw for a given token w, we can build another keyd′w for the same token w, that has the same distribution as the output ofalgorithm Extract(mk,w), and independent from dw by re-randomization.Once again, we invoke reindexation and suppose that w is of the form(w1 , . . . ,wk, ∗ , . . . , ∗). Let R′1 ∈ (Zp)1×(k+1), R′2 ∈ (Zp)(k+1)×(k+1), andR′3 ∈ (Zp)(u−k−1)×(k+1) be random matrices. Note that this corresponds to(k + 1)(`+ 2) random values in Zp, as in Extract. We build d′w by :

d′w =

1 R′1 00 R′2 00 R′3 Id

· dw =

ddecw +R′1 · drer

w

R′2 · drerw

ddelw +R′3 · drer

w

Let R1, R2, R3 be the matrices giving the previous decomposition of dw:

dw =

1 R1 00 R2 00 R3 Id

·Mw

thus we have :

d′w =

1 R′1 00 R′2 00 R′3 Id

· 1 R1 0

0 R2 00 R3 Id

·Mw =

Mdecw + (R′1 ·R2 +R1) ·M rer

w

R′2 ·R2 ·M rerw

Mdelw + (R′3 ·R2 +R3) ·Mdel

w

It is not hard to see that if R2 is full rank, then d′w is distributed as the outputof algorithm Extract(mk,w) . If R2 is not full ranked then d′w is distributeddifferently (we then say that d′w is ill-formed), but since this happens withprobability about 1/p (which is negligible), d′w is then distributed staticallyclose to the distribution of Extract(mk,w).Note that this difference arise between the real-world and the security model,thus it will not appear in the security reduction.

Derive(w, dw,w′): The derivation algorithm only needs to answer when w ≥w′ and can assume that dw is indeed a valid key for the token w.It is sufficient to show a correct algorithm working only when kw′ = kw + 1,and then do delegation step-by-step. Using reindexation, we can also assumethat w = (w1 , . . . ,wk, ∗ , . . . , ∗) and w′ = (w1 , . . . ,wk+1, ∗ , . . . , ∗)Lets write the private key for dw as

dw =

D G1 · · · Gk−1 TD0 G0,1 · · · G0,k−1 T0

......

. . ....

...D` G`,1 · · · G`,k−1 T`

First, we define dtempw (with one more column):

dtempw′ =

D G1 · · · Gk−1 TD0 G0,1 . . . G0,k−1 T0

......

. . ....

...Dk−1 Gk−1,1 · · · Gk−1,k−1 Tk−1

hwkDk Gk,1 · · · Gk,k−1 g Tk

Dk+1 Gk+1,1 . . . Gk+1,k−1 Tk+1

......

. . ....

...D` G`,1 · · · G`,k−1 T`

Also in this matrix, blanks correspond to cells containing the group identityg0.Intuitively, we moved the highlighted line from the delegation part to there-randomization part of the key. Let R1, R2, R3 be the matrices giving theprevious decomposition of dw, and R′1, R

′2, R

′3 for dtemp

w′ , we have :

R′1 =(R1 0

), R′2 =

0

R2

...0

(R3)1 1

, R′3 =

(R3)2 0...

...(R3)k−2 0

Note that if R2 rank is k + 1, then rank of R′2 is k + 2, so if dw isn’t an ill-formed key, dtemp

w′ isn’t ill-formed either. We can thus output Rerand(dtempw′ ),

which is a valid key following the same distribution as if it was directlygenerated by Extract(mk,w′).

Encrypt(PP,v,M): To encrypt a message M ∈ GT under the property vectorv = (v1, . . . , v`) ∈ Z∗p[`], pick a random s ∈ Zp and output

CT =(e(g1, g2)s ·M, gs, (s) · (v · (h) + f), ts

)∈ Gt ×G2+`.

Decrypt(ddecw ,w,CT): Consider the token w = (w1, . . . ,w`) associated to the

key dw. To decrypt a ciphertext CT = (A,B,C1, . . . , C`, Z) using the de-cryption part of the private key ddec

w = (a0, [bi]i∈Sw, z), output

M ′ = A · e(Z, z) ·∏i∈Sw

e(Ci, bi)/e(B, a0).

Correctness We briefly check that decryption is correct. With the same notationsas in Decrypt. Assuming w ≥ v, we have ∀i ∈ Sw, wi = vi.

e(B, a0) = e(gs , g0 r-1 · (w · h+ f)|Sw)tR-1)

= e(gs , g0) · e(gs , tR-1) ·∏i∈Sw

e(gs , (hwi fi)r-1,i)

= e(g0 , g)s · e(ts , gR-1) ·∏i∈Sw

e((hwifi)s , gr-1,i)

= e(g0 , g)s · e(Z, z) ·∏i∈Sw

e(Ci, bi)

If CT is the encryption of M under the public key ID, then A = e(g0, g)s ·M ,and hence we have M ′ = M .

5.2 Security Reduction

The following theorem proves security of our system under the Decision P-BDHassumption.

Theorem 2 (dHVE security). Our dHVE is selective-ID anonymous assum-ing the Decision P-BDH assumption holds for the bilinear group generator G. Inparticular, for all PPT algorithms B and all ` > 0, the function AdvaIND-sIDCPA

B (λ)is a negligible function of λ.

The proof proceeds by a hybrid argument across a number of games. LetCT = (A,B,

[Ci]`i=1

, Z) in Gt ×G3 denote the challenge ciphertext given to theadversary during the selective-ID game Γ (0) of definition 1. Additionally, let Rbe a random element of Gt, and R′ and [Ri]`i=1 be random elements of G. Wedefine the following hybrid games, which differ on what challenge ciphertext isgiven to the adversary:

– Game Γ : The challenge ciphertext is CT =(A ,B ,

[Ci]`i=1

, Z)

– Game Γ ′ : The challenge ciphertext is CT′ =(R ,B ,

[Ci]`i=1

, Z)

– Game Γn (n = 0 . . . `): The challenge is CTn =(R ,B ,

[Ri]ni=1

, [Ci]`i=n+1 , R′)

Game Γ is the same as game Γ (0) in Definition 1. Game Γ` is the same asgame Γ (1) in Definition 1, where the adversary is given a random ciphertext.Therefore,

AdvaIND-sIDCPAB ≤

∣∣Pr[AΓ = 0

]− Pr

[AΓ` = 0

]∣∣ .To prove that Γ is indistinguishable from Γ` we prove that each step of thehybrid is indistinguishable from the next. We do so in a sequence of lemmas.

Lemma 4 (semantic security). Let A be an adversary playing the aIND-sIDCPAattack game. Then, there exist an algorithm B solving the Decision P-BDH prob-lem such that : ∣∣∣Pr

[AΓ = 0

]− Pr

[AΓ

′= 0]∣∣∣ ≤ AdvP-BDH

B

Lemma 5 (anonymity, part 1). Let A be an adversary playing the aIND-sIDCPAattack game. Then, there exist an algorithm B solving the Decision P-BDH prob-lem such that : ∣∣∣Pr

[AΓ

′= 0]− Pr

[AΓ0 = 0

]∣∣∣ ≤ AdvP-BDHB

Lemma 6 (anonymity, part 2). Let A be an adversary playing the aIND-sIDCPAattack game. Then, for all n = 1 . . . `, there exist an algorithm B solving theDecision P-BDH problem such that :∣∣Pr

[AΓn−1 = 0

]− Pr

[AΓn = 0

]∣∣ ≤ AdvP-BDHB

Thus, if there is no algorithm B that solve P-BDH problem with an advantagebetter than ε, there, for all adversary A making at most :∣∣Pr

[AΓ = 0

]− Pr

[AΓ` = 0

]∣∣ ≤ ∣∣∣Pr[AΓ = 0

]− Pr

[AΓ ′ = 0

]∣∣∣+∣∣∣Pr[AΓ ′ = 0

]− Pr

[AΓ0 = 0

]∣∣∣+∑`n=1

∣∣Pr[AΓn−1 = 0

]− Pr

[AΓn = 0

]∣∣≤ (2 + `) ε

Consequently, under the P-BDH assumption, game Γ is indistinguishablefrom Γ`.

The proofs of those lemmas are given in the Appendix ?? . ut

5.3 Instantiations

We now compare several instantiations of the anonymous HIBE system and thedHVE system that can be build using our techniques with other similar anony-mous constructions. In the Hybrid system described in the full version [Duc09],there is a parameter ω ∈ [0, 1] that we can also adjust to get different trade-offin terms of hypothesis strength and performances. Its security rely on a strongerassumption : Pn-BDH, which is also described in the full version. There are 3noticeable values for ω : ω = 1 is not using mechanics of [BBG05] and can beextended to our dHVE, ω = 0 provides constant size ciphertexts and linear keys,last ω = 1/2 gives optimal key size and sublinear ciphertexts.

group order assumption key size ciphertext sizeBB1based IBE prime P-BDH 3 4

BB1based dHVE (ω = 1) prime P-BDH ∼ `2 `+ 3

Hybrid BBG-based HIBE prime Pd`1−ωe-BDH ≤ 3(`+ `2ω) ∼ `ω

BBG based HIBE (ω = 0) prime P`-BDH ∼ 3` 4

Hybrid BBG-based HIBE (ω = 1/2) prime Pd√`e-BDH ∼ ` ∼

√`

dHVE from [SW08] composite composite-BDH ∼ `2 ∼ `HIBE from [SKOS09] composite composite-BDH ∼ 3` 4

Sizes are expressed in group elements. Number of pairings for decryption isalways bound by the ciphertext size. Our construction offers better efficiency by

a constant factor than previous results, depending on the chosen trade-off. Usingasymmetric pairing let us avoid composite groups, which are inevitably larger.For elements of G (used in the ciphertext) the gain can be very substantial (1024bits versus 170 bits to achieve common concrete security). However, the use oftype 2 or type 3 pairing doesn’t allow compact representation of G elements,sothat the improvement in private key size is not as significant (see [GPS06]).

6 Conclusions

We presented a technique for using asymmetric bilinear groups to add anonymityto a family of non-anonymous HIBE systems. One of those HIBE naturallyextend to a delegatable HVE system. The resulting systems are more efficientthan several existing constructions for anonymous systems.

Acknowledgments

This work was done while the author was visiting Stanford University. I wouldlike to express my gratitude to Dan Boneh, who gave me precious advice all alongthis work. Stanford University staff also deserves some thanks for welcoming meat the Computer Science lab for this internship. Finally, I would like to thankthe anonymous reviewers for their wise comments on this paper.

References

[ABC+05] Michel Abdalla, Mihir Bellare, Dario Catalano, Eike Kiltz, TadayoshiKohno, Tanja Lange, John Malone-Lee, Gregory Neven, Pascal Paillier, andHaixia Shi. Searchable encryption revisited: Consistency properties, relationto anonymous IBE, and extensions. In Advances in Cryptology—CRYPTO2005, 2005.

[ACd05] Giuseppe Ateniese, Jan Camenisch, and Breno deMedeiros. Untraceablerfid tags via insubvertible encryption. In Proceedings of the 12th ACMconference on Computer and communications security, 2005.

[BB04] Dan Boneh and Xavier Boyen. Efficient selective-ID identity based encryp-tion without random oracles. In Advances in Cryptology—EUROCRYPT2004, 2004.

[BBG05] Dan Boneh, Xavier Boyen, and Eu-Jin Goh. Hierarchical identity basedencryption with constant size ciphertext. In Advances in Cryptology—EUROCRYPT 2005, LNCS, 2005.

[BCHK07] Dan Boneh, Ran Canetti, Shai Halevi, and Jonathan Katz. Chosen-ciphertext security from identity-based encryption. SIAM Journal of Com-puting, 36(5), 2007.

[BCOP04] Dan Boneh, Giovanni Di Crescenzo, Rafial Ostrovsky, and Giuseppe Per-siano. Public key encryption with keyword search. In Advances in Cryptology- EUROCRYPT 2004, 2004.

[BF03] Dan Boneh and Matt Franklin. Identity-based encryption from the Weilpairing. SIAM Journal of Computing, 32(3), 2003. Preliminary version inCrypto’01.

[BKM05] Lucas Ballard, Seny Kamara, and Fabian Monrose. Achieving efficient con-junctive keyword searches over encrypted data. In Information and Com-munications Security, 2005.

[BW06] Xavier Boyen and Brent Waters. Anonymous hierarchical identity-based en-cryption (without random oracles). In Advances in Cryptology—CRYPTO2006, 2006.

[BW07] Dan Boneh and Brent Waters. Conjunctive, subset, and range queries onencrypted data. In Proceedings of TCC’07, 2007.

[CHK03] Ran Canetti, Shai Halevi, and Jonathan Katz. A forward-secure public-keyencryption scheme. In Advances in Cryptology—EUROCRYPT 2003, 2003.

[CHK04] Ran Canetti, Shai Halevi, and Jonathan Katz. Chosen-ciphertext securityfrom identity-based encryption. In Advances in Cryptology—EUROCRYPT2004, 2004.

[CHL05] Jan Camenisch, Susan Hohenberger, and Anna Lysyanskaya. Compact e-cash. ePrint Report 2005/060, 2005.

[Duc09] Leo Ducas. Anonymity from asymmetry: New constructions for anonymoushibe, 2009. Full version. Available on http://www.eleves.ens.fr/home/

ducas/publi/ahibe10/.

[Gen06] Craig Gentry. Practical identity-based encryption without random oracles.In Advances in Cryptology—EUROCRYPT 2006, 2006.

[GPS06] S.D. Galbraith, K.G. Paterson, and N.P. Smart. Pairings for cryptographers.Cryptology ePrint Archive, Report 2006/165, 2006. http://eprint.iacr.

org/.

[GS02] Craig Gentry and Alice Silverberg. Hierarchical ID-based cryptography. InAdvances in Cryptology—ASIACRYPT 2002, 2002.

[HL02] Jeremy Horwitz and Ben Lynn. Towards hierarchical identity-based encryp-tion. In Advances in Cryptology—EUROCRYPT 2002, 2002.

[IP08] Vincenzo Iovino and Giuseppe Persiano. Hidden-vector encryption withgroups of prime order. In Pairing-Based Cryptography, 2008.

[Jou00] Antoine Joux. A one round protocol for tripartite Diffie-Hellman. In WiebBosma, editor, Proceedings of ANTS IV, volume 1838, 2000.

[SBC+07] Elaine Shi, John Bethencourt, Hubert T.-H. Chan, Dawn Xiaodong Song,and Adrian Perrig. Multi-dimensional range query over encrypted data. InSP ’07: Proceedings of the 2007 IEEE Symposium on Security and Privacy,2007.

[Sco02] Mike Scott. Authenticated id-based key exchange and remote log-in withsimple token and pin number. ePrint Report 2002/164, 2002.

[Sha85] Adi Shamir. Identity-based cryptosystems and signature schemes. In Ad-vances in Cryptology—CRYPTO 1984, 1985.

[SKOS09] Jae Hong Seo, Tetsutaro Kobayashi, Miyako Ohkubo, and Koutarou Suzuki.Anonymous hierarchical identity-based encryption with constant size cipher-texts. In Irvine: Proceedings of the 12th International Conference on Prac-tice and Theory in Public Key Cryptography, 2009.

[SW08] Elaine Shi and Brent Waters. Delegating capabilities in predicate encryptionsystems. In ICALP ’08: Proceedings of the 35th international colloquium onAutomata, Languages and Programming, Part II, 2008.

[Wat05] Brent Waters. Efficient identity-based encryption without random oracles.In Advances in Cryptology—EUROCRYPT 2005, 2005.

A Security Proof for the IBE System of Section 4

We here prove the lemmas of section 4, restated for your convenience.

Lemma 7 (semantic security). Let A be an adversary playing the aIND-sIDCPAattack game. Then, there exist an algorithm B solving the Decision P-BDH prob-lem such that : ∣∣∣Pr

[AΓ = 0

]− Pr

[AΓ

′= 0]∣∣∣ ≤ AdvP-BDH

B

This proof is just the adaptation of the original BB1 security proof. Thelemma is stated using decision P-BDH problem, but, the proof is using decisionBDH problem, which has been shown to be harder.

Proof. Suppose A has advantage ε in distinguishing Game Γ from Game Γ ′.We build an algorithm B that solves the Decision-BDH problem in (G, G).

Algorithm B is given as input a random 7-tuple (g, ga, gc, g, ga, gb, T ) that iseither sampled from PBDH (where T = e(g, g)abc) or from RBDH (where Tis uniform and independent in Gt). Algorithm B’s goal is to output 1 if T =e(g, g)abc and 0 otherwise. Algorithm B works by interacting with A in a selectiveidentity game as follows:

Initialization. The selective identity game begins with A first outputting anidentity ID∗ = I∗ ∈ Z∗p, that it intends to attack.

Setup. To generate the system parameters, algorithm B picks random γ′, δ′, η′ ∈Zp and define :

g1 = ga, g1 = ga, g2 = gb, h = gγ′

1 , f = h−I∗gδ′, t = gη

′, gC = gc

We want to simulate the system for the parameters :

α = a, β = b, γ = aγ′, δ = −γI∗ + δ′, η = η′, s = c

Algorithm B gives A the system parameters PP = (g, g1, h, f, t, g2, h). Thecorresponding master key, is equal to mk= (g0 = gab, gδ, gη), and g0 is un-known to B .

Phase 1. Algorithm A issues up to qS private key queries to B, one at a time.Consider a query for the private key corresponding to ID = I ∈ (Z∗p), withI 6= I∗. For the first part, B picks random elements r,R ∈ Zp and sets

d0 = g−δ′

γ′(I−I∗)2 (hI−I∗ gδ

′)r gη

′R, d1 = g−1

γ′(I−I∗)2 gr, d2 = gR

We claim that (d0, d1, d2) is a correctly distributed, valid random private keyfor identity I. To see this, let r = r − b/γ′(I− I∗) in Zp. Then we have that

g−δ′

γ′(I−I∗)2 (hI−I∗ gδ

′)r = g

−b δ′γ′I−I∗ (ga γ

′(I−I∗) gδ′)r = ga b (ga γ

′(I−I∗)gδ′)r−

bγ′(I−I∗) = g0 (hI f)r

It follows that the private key (d0, d1, d2) defined above satisfies

d0 = g0 (hI f)rtR, d1 = gr, d2 = gR

where the exponents r, R are uniform and independent in Zp. This matchesthe definition; hence, d = (d0, d1, d2) is a valid private key for I. algorithmA sends d to B

Challenge. When A decides that Phase 1 is over, it outputs one message M ∈Gt on which it wishes to be challenged. Algorithm B responds with thechallenge ciphertext CT = (M T, gC , g

δ′

C , gη′

C ). Since gδ′

= hI∗ f , we havethat

CT =(M · T, gc, (hI∗ f)c, tc

)Phase 2. AlgorithmA continues to adaptively issue queries not issued in Phase 1,

up to a total of qS queries. Algorithm B responds as before.Guess. Finally, A outputs a guess ν ∈ {0, 1}. Algorithm B concludes by an-

swering A’s guess ν.

Hence, when T = e(g, g)abc = e(g, g0)c, i.e., when B’s input 7-tuple is sampledfrom PBDH , then CT is a valid encryption of M under the public key (I∗) initiallychosen by the adversary : A is playing Game Γ .

On the other hand, when T is uniform and independent in Gt, i.e., when B’sinput 7-tuple is sampled from RBDH , then CT = (R ,B ,C1 , Z ) for a randomR: A is playing Game Γ ′.

So, if A has an advantage ε in distinguishing Game Γ from Game Γ ′ thenB has the same advantage ε against decision-BDH.

This completes the proof of lemma 1.

This proof is just the adaptation of the original BB1 security proof. At thispoint we have confidentiality, still only using decision BDH assumption. Theproof of the two lemmas for anonymity, even if it relies on a stronger assumption,follow a very similar idea.

Lemma 8 (anonymity, part 1). Let A be an adversary playing the aIND-sIDCPAattack game. Then, there exist an algorithm B solving the Decision P-BDH prob-lem such that : ∣∣∣Pr

[AΓ

′= 0]− Pr

[AΓ0 = 0

]∣∣∣ ≤ AdvP-BDHB

Proof. Suppose A has advantage ε in distinguishing Game Γ ′ from Game Γ0.We build an algorithm B that solves the Decision-P-BDH problem in (G, G).Algorithm B is given as input a random 8-tuple (g, ga, ga b, gc, g, ga, gb, T ) thatis either sampled from DN (where T = ga b c) or from DR (where T is uniformand independent in G). Algorithm B’s goal is to output 1 if T = ga b c and 0otherwise. Algorithm B works by interacting with A in a selective identity gameas follows:

Initialization. The selective identity game begins with A first outputting anidentity ID∗ = I∗ ∈ Z∗p, that it intends to attack.

Setup. To generate the system parameters, algorithm B picks random α′, β′, δ′ ∈Zp and define :

g1 = gα′, g1 = gα

′, g2 = gβ

′, h = ga, h = ga, f = h−I∗gδ

′, f = h−I∗ gδ

′,

t = ga b, gC = gc, gB = gb

We want to simulate the system for the parameters :

α = α′, β = β′, γ = a, δ = −γI∗ + δ′, η = a b, s = c

Algorithm B gives A the system parameters PP = (g, g1, g2, h, f, t).The corresponding master key, is equal to mk= (gα

′ β′ , f , t = ga b), and t isunknown to B .

Phase 1. Algorithm A issues up to qS private key queries to B, one at a time.Consider a query for the private key corresponding to ID = I ∈ (Z∗p), withI 6= I∗. For the first part, B picks random elements r,R ∈ Zp and sets

d0 = g0(hI−I∗ gδ′)r g− δ′ R

I−I∗

B , d1 = g−RI−I∗

B gr, d2 = gR

We claim that (d0, d1, d2) is a correctly distributed, valid random private keyfor identity I. To see this, let r = r − bR/(I− I∗) in Zp. Then we have that

(hI−I∗ gδ′)r g

−δ′ RI−I∗

B = (ga (I−I∗) gδ′)r g

−b δ′ RI−I∗ = (ga (I−I∗) gδ

′)r−

bRI−I∗ ga bR = (hIf)r tR

It follows that the private key (d0, d1, d2) defined above satisfies

d0 = g0 (hI f)rtR, d1 = gr, d2 = gR

where the exponents r, R are uniform and independent in Zp. This matchesthe definition; hence, d = (d0, d1, d2) is a valid private key for I. algorithmB send d to A

Challenge. When A decides that Phase 1 is over, it outputs one message M ∈Gt on which it wishes to be challenged. Algorithm B picks responds with thechallenge ciphertext CT = (R, gC , gδ

′

C , T ). Since gδ′

= hI∗ f , we have that

CT =(R, gc, (hI1 f)c, T

)Phase 2. AlgorithmA continues to adaptively issue queries not issued in Phase 1,

up to a total of qS queries. Algorithm B responds as before.Guess. Finally, A outputs a guess ν ∈ {0, 1}. Algorithm B concludes by an-

swering As guess ν.

Hence, when T = gabc = tc, i.e., when B’s input 8-tuple is sampled from DN ,then CT = (R ,B ,C1 , Z ) for a random R: A is playing Game Γ ′. On the otherhand, when T is uniform and independent in Gt, i.e., when B’s input 8-tupleis sampled from DR, then CT = (R ,B ,C1 , R

′ ) for a randoms R and R′: A isplaying Game Γ0. So, if A has an advantage ε in distinguishing Game Γ ′ fromGame Γ0 then B has the same advantage ε against decision-P-BDH.

This completes the proof of lemma 2.

Lemma 9 (anonymity, part 2). Let A be an adversary playing the aIND-sIDCPAattack game. Then, there exist an algorithm B solving the Decision P-BDH prob-lem such that : ∣∣Pr

[AΓ0 = 0

]− Pr

[AΓ1 = 0

]∣∣ ≤ AdvP-BDHB

Proof. Suppose A has advantage ε in distinguishing Game Γ0 from Game Γ1.We build an algorithm B that solves the Decision-P-BDH problem in (G, G).Algorithm B is given as input a random 8-tuple (g, ga, gab, gc, g, ga, gb, T ) thatis either sampled from DN (where T = gabc) or from DR (where T is uniformand independent in G). Algorithm B’s goal is to output 1 if T = gabc and 0otherwise. Algorithm B works by interacting with A in a selective identity gameas follows:

Initialization. The selective identity game begins with A first outputting anidentity ID∗ = I∗ ∈ Z∗p, that it intends to attack.

Setup. To generate the system parameters, algorithm B picks random α′, β′, γ′ ∈Zp and define :

g1 = gα′, g2 = gβ

′, h = gγ

′, h = gγ

′, f = gab, t = ga, t = ga, gC = gc, gB = gb

We want to simulate the system for the parameters :

α = α′, β = β′, γ = γ′, δ = a b, η = a, s = c

Algorithm B gives A the system parameters PP = (g, g1, g2, h, f, t). The cor-responding master key, is equal to mk= (gα

′ β′ , f = gab, t), and f is unknownto B .

Phase 1. Algorithm A issues up to qS private key queries to B, one at a time.Consider a query for the private key corresponding to ID = I ∈ (Z∗p), withI 6= I∗. For the first part, B picks random elements r,R ∈ Zp and sets

d0 = gα′ β′ gγ

′I r tR, d1 = gr, d2 = gR g−rB

We claim that (d0, d1, d2) is a correctly distributed, valid random private keyfor identity I. To see this, let R = R− b r in Zp. Then we have that

gγ′I r tR = gγ

′I r gaR = gγ′I r ga b r ga (R−b r) = (hIf)r tR

It follows that the private key (d0, d1, d2) defined above satisfies

d0 = g0 (hI f)Rtr, d1 = gr, d2 = gR

where the exponents r, R are uniform and independent in Zp. This matchesthe definition; hence, d = (d0, d1, d2) is a valid private key for I. algorithmB send d to A

Challenge. When A decides that Phase 1 is over, it outputs one message M ∈Gt on which it wishes to be challenged. Algorithm B picks responds withthe challenge ciphertext CT = (R, gC , g

γ′ I∗

C T,R′) which is equal to CT =(R, gC , hI

∗ c T,R′)

Phase 2. AlgorithmA continues to adaptively issue queries not issued in Phase 1,up to a total of qS queries. Algorithm B responds as before.

Guess. Finally, A outputs a guess ν ∈ {0, 1}. Algorithm B concludes by an-swering As guess ν.

Hence, when T = gabc = f c, i.e., when B’s input 8-tuple is sampled from DN ,then CT = (R ,B ,C1 , R

′ ) for a randoms R and R′: A is playing Game Γ0. Onthe other hand, when T is uniform and independent in Gt, i.e., when B’s input8-tuple is sampled from DR, then CT = (R ,B ,R′′, R′ ) for a randoms R, R′ andR′′: A is playing Game Γ0. So, if A has an advantage ε in distinguishing GameΓ0 from Game Γ1 then B has the same advantage ε against decision-P-BDH.

This completes the proof of lemma 3.

B Security Proof for the delegatable HVE of Section 5

We here prove the lemmas of Section 5, restated for your convenience.

Lemma 10 (semantic security). Let A be an adversary playing the aIND-sIDCPAattack game. Then, there exist an algorithm B solving the Decision P-BDH prob-lem such that : ∣∣∣Pr

[AΓ = 0

]− Pr

[AΓ

′= 0]∣∣∣ ≤ AdvP-BDH

B

Once again, the semantic security lemma is stated using decision P-BDHproblem, but, the proof is using decision BDH problem, which has been shownto be harder.

Proof. Suppose A has advantage ε in distinguishing Game Γ from Game Γ ′.We build an algorithm B that solves the Decision-BDH problem in (G, G).

Algorithm B is given as input a random 7-tuple (g, ga, gc, g, ga, gb, T ) that iseither sampled from PBDH (where T = e(g, g)abc) or from RBDH (where Tis uniform and independent in Gt). Algorithm B’s goal is to output 1 if T =e(g, g)abc and 0 otherwise. Algorithm B works by interacting with A in a selectiveidentity game as follows:

Initialization. The selective identity game begins with A first a vector v∗ ∈Z∗p

`, that it intends to attack.Setup. To generate the system parameters, algorithm B picks random δ′ ∈

Zp` , γ′, η′ ∈ Zp and define :

g1 = ga, g1 = ga, g2 = gb, h = gγ′

1 , fi = h−v∗i gδ

′i , t = gη

′, gC = gc

We want to simulate the system for the parameters :

α = a, β = b, γ = aγ′, δ = −(γ) · v∗ + δ′, η = η′, s = c

Algorithm B gives A the system parameters PP = (g, g1, g2, h, f , t). Thecorresponding master key, is equal to mk= (g0 = gab, δ · (g), gη), and g0 isunknown to B .

Phase 1. Algorithm A issues up to qS private key queries to B, one at a time.Consider a query for the private key corresponding to w, with w 6≥ v∗. So,there exist an index j ≤ ` such that wj 6= ∗ and wj 6= v∗j . Thanks to Deriveit is sufficient to build a valid key for the token w′ = (∗, . . . , ∗, wj , ∗, . . . , ∗).Also, since only g0 is unknown to the simulator, generating the delegationand rerandomization parts of the key needs no special tricks, we only haveto show how to build a valid ddec

w′ .To do so, B picks random elements r,R ∈ Zp and sets

d0 = g

−δ′jγ′(wj−v∗j )

2 (hwj−v∗j gδ

′j )r gη

′R, d1 = g

−1wj−v∗j2 gr, d2 = gR

We claim that (d0, d1, d2) is a correctly distributed, valid random decryptionkey for token w′. To see this, let r = r− b/γ′(wj − v∗j ) in Zp. Then we havethat

g

−δ′jγ′(wj−v∗j )

2 (hwj−v∗j gδ

′j )r = g

−b δ′jγ′(wj−v∗j ) (ga γ

′(wj−v∗j ) gδ′j )r = ga b (ga γ

′(wj−v∗j )gδ′j )r− b

γ′(wj−v∗j ) = g0 (hI f)r

It follows that the decryption key (d0, d1, d2) defined above satisfies

d0 = g0 (hwj f)rtR, d1 = grj , d2 = gR

where the exponents r, R are uniform and independent in Zp. This matchesthe definition; hence, d = (d0, d1, d2) is a valid private key for w. AlgorithmB use d to build a complete key dw′ and send it to A .

Challenge. When A decides that Phase 1 is over, it outputs one message M ∈Gt on which it wishes to be challenged. Algorithm B picks responds with thechallenge ciphertext CT = (M T, gC , δ′ · (gC), gη

′

C ). Since δ′ · g = v∗ · (h) + f ,we have that

CT =(M · T, gc, (c) · (v∗ · (h) + f), tc

)Phase 2. AlgorithmA continues to adaptively issue queries not issued in Phase 1,

up to a total of qS queries. Algorithm B responds as before.Guess. Finally, A outputs a guess ν ∈ {0, 1}. Algorithm B concludes by an-

swering As guess ν.

Hence, when T = e(g, g)abc = e(g, g0)c, i.e., when B’s input 7-tuple is sampledfrom PBDH , then CT is a valid encryption of M under the vector v∗ initiallychosen by the adversary : A is playing Game Γ .

On the other hand, when T is uniform and independent in Gt, i.e., whenB’s input 7-tuple is sampled from RBDH , then CT = (R ,B , [Ci]

`i=1 , Z ) for a

random R: A is playing Game Γ ′.So, if A has an advantage ε in distinguishing Game Γ from Game Γ ′ then

B has the same advantage ε against decision-BDH.This completes the proof of lemma 4.

This proof is just the adaptation of the original BB1 security proof. At thispoint we have confidentiality, still only using decision BDH assumption. Theproof of the two lemmas for anonymity, even if it relies on a stronger assumption,follow a very similar idea.

Lemma 11 (anonymity, part 1). Let A be an adversary playing the aIND-sIDCPAattack game. Then, there exist an algorithm B solving the Decision P-BDH prob-lem such that : ∣∣∣Pr

[AΓ

′= 0]− Pr

[AΓ0 = 0

]∣∣∣ ≤ AdvP-BDHB

Proof. Suppose A has advantage ε in distinguishing Game Γ ′ from Game Γ0.We build an algorithm B that solves the Decision-P-BDH problem in (G, G).Algorithm B is given as input a random 8-tuple (g, ga, ga b, gc, g, ga, gb, T ) thatis either sampled from DN (where T = ga b c) or from DR (where T is uniformand independent in G). Algorithm B’s goal is to output 1 if T = ga b c and 0otherwise. Algorithm B works by interacting with A in a selective identity gameas follows:

Initialization. The selective identity game begins with A first outputting avector v∗ ∈ Z∗p, that it intends to attack.

Setup. To generate the system parameters, algorithm B picks random α′, β′ ∈Zp, δ′ ∈ Zp` and define :

g1 = gα′, g1 = gα

′, g2 = gβ

′, h = ga, h = ga, fi = h−v

∗i gδ

′i , fi = h−v

∗i gδ

′i ,

t = ga b, gC = gc, gB = gb

We want to simulate the system for the parameters :

α = α′, β = β′, γ = a, δ = −(a) · v∗ + δ′, η = a b, s = c

Algorithm B gives A the system parameters PP = (g, g1, g2, h, f , t).The corresponding master key, is equal to mk= (gα

′ β′ , f , t = ga b), and t isunknown to B .

Phase 1. Algorithm A issues up to qS private key queries to B, one at a time.Consider a query for the token w, with w 6≥ v∗. So, there exist an indexj ≤ ` such that wj 6= ∗ and wj 6= v∗j . Thanks to Derive it is sufficient tobuild a valid key for the token w′ = (∗, . . . , ∗, wj , ∗, . . . , ∗). Considering thesimulator knows g0 and f , it is sufficient to be able to build ` + 2 triples ofthe form

((hwj fj)rtR, gr, gR

)for independent random r,R ∈ Zp.

For the first part, B picks random elements r,R ∈ Zp and sets

d0 =(hwj−v

∗j gδ

′j

)rg− δ′ Rwj−v∗i

B , d1 = g−R

wj−v∗iB gr, d2 = gR

We claim that (d0, d1, d2) is a correctly distributed triple as previously de-scribed. To see this, let r = r − bR/(wj − v∗j ) in Zp. Then we have that

(hwj−v∗j gδ

′j )r g

−δ′j Rwj−v∗jB = (ga (wj−v∗j ) gδ

′j )r g

−b δ′j Rwj−v∗j = (ga (wj−v∗j ) gδ

′j )r− bR

wj−v∗j ga bR = (hwj f)r tR

It follows that the private key (d0, d1, d2) defined above satisfies

d0 = (hwj f)rtR, d1 = gr, d2 = gR

where the exponents r, R are uniform and independent in Zp. This matchesthe definition; hence, we can build ` + 2 triples, and easily transform theminto a proper matrix key for token w′.

Challenge. When A decides that Phase 1 is over, it outputs one message M ∈Gt on which it wishes to be challenged. Algorithm B picks responds with thechallenge ciphertext CT = (R, gC , δ′ · (gC), T ). Since gδ

′= hv

∗f , we have

thatCT =

(R, gc, (c) · (v∗ · (h) + f), T

)Phase 2. AlgorithmA continues to adaptively issue queries not issued in Phase 1,

up to a total of qS queries. Algorithm B responds as before.Guess. Finally, A outputs a guess ν ∈ {0, 1}. Algorithm B concludes by an-

swering A’s guess ν.

Hence, when T = gabc = tc, i.e., when B’s input 8-tuple is sampled from DN ,then CT = (R ,B ,C1 , Z ) for a random R: A is playing Game Γ ′. On the otherhand, when T is uniform and independent in Gt, i.e., when B’s input 8-tupleis sampled from DR, then CT = (R ,B ,C1 , R

′ ) for a randoms R and R′: A isplaying Game Γ0. So, if A has an advantage ε in distinguishing Game Γ ′ fromGame Γ0 then B has the same advantage ε against decision-P-BDH.

This completes the proof of lemma 5.

Lemma 12 (anonymity, part 2). Let A be an adversary playing the aIND-sIDCPAattack game. Then, for all n = 1 . . . `, there exist an algorithm B solving theDecision P-BDH problem such that :∣∣Pr

[AΓn−1 = 0

]− Pr

[AΓn = 0

]∣∣ ≤ AdvP-BDHB

Proof. Suppose A has advantage ε in distinguishing Game Γn−1 from GameΓn. We build an algorithm B that solves the Decision-P-BDH problem in (G, G).Algorithm B is given as input a random 8-tuple (g, ga, gab, gc, g, ga, gb, T ) thatis either sampled from DN (where T = gabc) or from DR (where T is uniformand independent in G). Algorithm B’s goal is to output 1 if T = gabc and 0otherwise. Algorithm B works by interacting with A in a selective identity gameas follows:

Initialization. The selective identity game begins with A first outputting anidentity v∗ ∈ Z∗p, that it intends to attack.

Setup. To generate the system parameters, algorithm B picks random α′, β′, γ′ ∈Zp, δ′ ∈ Zp` and define :

g1 = gα′, g2 = gβ

′, h = gγ

′, h = gγ

′, fi = gδ

′i for i 6= n, fn = gab, t = ga, t = ga, gC = gc, gB = gb

We want to simulate the system for the parameters :

α = α′, β = β′, γ = γ′, δ = (δ′1 . . . , δ′n−1, a b, , δ

′n+1, . . . , δ

′`), η = a, s = c

Algorithm B gives A the system parameters PP = (g, g1, g2, h, f , t). The cor-responding master key, is equal to mk= (gα

′ β′ , f = gab, t), and f is unknownto B .

Phase 1. Algorithm A issues up to qS private key queries to B, one at a time.We show here that the simulator can build a key for token most generaltoken w0 = (∗, . . . , ∗), thus, he can delegate keys for any token. Such a key,should have the form((

g0 tr-1 , gr-1

),(tr0 , gr0

),[fit

ri , gri]`i=1

)for random r-1 . . . r`.All the line of this matrix can be generated naturally except the one involvingfi. We can generate the desired couple the following way : take a random rand set

d0 = tr, d1 = gr g-1B

We claim that (d0, d1) is a correctly distributed couple for the ith line of thekey. To see this, let r = r − b in Zp :

d0 = ga btr = fitr, d1 = gr

where the exponents r is uniformly random in Zp. This matches the defini-tion; hence, B is capable of answering properly any query.

Challenge. When A decides that Phase 1 is over, it outputs one message M ∈Gt on which it wishes to be challenged. Algorithm B picks responds with thechallenge ciphertext

CT = (R, gC , [Ri]n−1i=1 , g

γ′ v∗nC T ,

[gγ′ v∗i +δ′iC

]`i=n+1

, R′)

which is equal to

CT = (R, gC , [Ri]n−1i=1 , g

γ′ v∗nC T ,

[(hv

∗i fi)c

]`i=n+1

, R′)

Phase 2. AlgorithmA continues to adaptively issue queries not issued in Phase 1,up to a total of qS queries. Algorithm B responds as before.

Guess. Finally, A outputs a guess ν ∈ {0, 1}. Algorithm B concludes by an-swering As guess ν.

When the input tuple is sampled from DvN (where T = gabc), then A’s viewis identical to its view in Game Γn−1. When the input tuple is sampled fromDvR (where T is uniform in G) then A ’s view is identical to its view in theGame Γn, thus, the advantage of B against Decision-D-BDH is as good as Aadvantage in distinguishing Game Γn−1 from Game Γn which completes theproof of lemma 6.

C The Hybrid anonymous HIBE system

We here describe how to apply our anonymizing tweak to the compact HIBEof [BBG05].

C.1 Security assumption

The security of this system rely on a stronger assumption, which is the asym-metric analogue of the assumption used in the HIBE of [BBG05]. For i = 1, 2, . . .we define the following two distributions:

– DiN :=(g , ga , . . . , ga

i+1, gc , g , ga , . . . , ga

i

, gai+1c)∈ Gi+3 × Gi+2 ×G

– DiR :=(g , ga , . . . , ga

i+1, gc , g , ga , . . . , ga

i

, T)∈ Gi+3 × Gi+2 ×G

and let AdvPi-BDHA be the advantage of A in distinguishing these distributions.

Definition 4. Let G be a bilinear group generator. For i > 0 we say thatthe Decision Pi-BDH holds for G if, for all PPT algorithms A, the functionAdvP

i-BDHA (λ) is a negligible function of λ.

In one variant of our HIBE we use the P`-BDH assumption to argue anonymityfor a hierarchy of depth `. Our other HIBEs use more compact assumptions,namely Pi-BDH for i much smaller than `.

We note that the P`-BDH assumption implies the P-BDH assumption whichimplies the Decision BDH assumption. The reductions between these assump-tions are tight.

C.2 Notations and conventions

Let u, v be positive integers, and ` ≤ u v be the desired depth of the hierarchy.Let ID = (I1, . . . , Ik) ∈ (Z∗p)k be an identity of depth k ≤ `. We will representID as a pair (k, I) where I ∈ (Z∗p)u×v is a u× v matrix filled using the elementsI1, . . . , Ik in typographic order: one row at a time starting from the top, in eachrow starting from the left or, pictorially, for an ID at the maximum depth ` withI = I1, . . . , I` and ` = u v:

I =

I1 I2 . . . Iv

Iv+1 Iv+2 . . . I2 v

......

. . ....

I(u−1)v+1 I(u−1)v+2 . . . Iuv

=

I(1,1) I(1,2) . . . I(1,v)

I(2,1) I(2,2) . . . I(2,v)

......

. . ....

I(u,1) I(u,2) . . . I(u,v)

(1)

padding I with 0 if necessary. For the rest of the section, we will treat I as thismatrix.

For convenience, we decompose the indices k = 1, . . . , ` into row-column pairs(k1, k2) such that k = v · (k1− 1) + k2 where k1, k2 > 0. For shorthand, we write(k1, k2) = k. It follows that in the above matrix representation of ID we haveI(i1,i2) = Ii for all i = 1, . . . , k.

Last, we redefine for this section the notation v|i : for a vector v and aninteger i, v|i is now the restriction of v to its ith first components : (v1 . . . vi).

C.3 Hybrid anonymous HIBE construction

In the description of our system we treat u as fixed and set v to be v = d`/ue.One can also choose a parameter ω ∈ [0, 1] and set u = `ω (thus v ≤ d`1−ωe), asit is done for the efficiency discussion of section 5.3. Private keys in our systemare of size O(l + u2) and security is based on Pv-BDH assumption. Hence, thesmaller u is, the shorter the private keys and ciphertexts. However, the smalleru is, the stronger the assumption needed to prove security.

Setup(l): Recall that uv ≥ `. To generate system parameters for an HIBE, givenbilinear groups (G, G) with generators (g, g), the setup algorithm first selectsa randoms α, β, η ∈ Zp, γ∈ (Zp)v, δ∈ (Zp)u, and set : g1 = gα, g2 = gβ ,h = γ · (g), f = δ · (g), t = gη, and their analogues : g1 = gα, g2 = gβ ,h = γ · (g), f = δ · (g), t = gη. The public parameters PP and the mastersecret mk are :

PP =(g, g1, h, f , t, g, g2, h

)∈ G3+u+v×G2+v , mk = (g0 = gαβ , f , t) ∈ G2+u

Extract(mk, ID): To generate private key dID for identity ID = (I1, . . . , Ik) ∈(Z∗p)k of depth (k1, k2) = k ≤ `, where k1 ≤ u and k2 ≤ v, output the matrix:

dID =

ddecID

drerID

ddelID

=

Id R1 00 R2 00 R3 Id

·MID =

Mdec +R1 ·M rer

R2 ·M rer

Mdel +R3 ·M rer

∈ G(u+2)×(2+k1+v−k2)

whereR1 ∈ (Zp)1×(k1+1), R2 ∈ (Zp)(k1+1)×(k1+1), andR3 ∈ (Zp)(u−k1−1)×(k1+1)

are random matrices, and

MID =

MdecID

M rerID

MdelID

=

g0

t g

(I · h + f)1 g...

. . .(I · h + f)k1−1 g

(I · h + f)k1 g hk2+1 · · · hv(I · h + f)k1+1

...(I · h + f)u

In this matrix blanks correspond to cells containing the group identity g0.Note that for columns j > k1 (i.e. rows in Mdel

ID ) the quantity (I · h + f)j isequal to fj . The size of dID grows with k1 and shrinks with k2; the private keythus becomes alternatively shorter and longer as the depth of ID increases,but never exceeds (u+ 2)(1 + u+ v) elements of G.

To better see the similarity with the hybrid system describe in [BBG05], wecan re-write this definition the following way :

ddecID =

(g0 (r-1 · (I|k1 · h + f|k1)) tR-1 , r-1 · (g), (r-1,k1) · (hk2+1, . . . , hv), gR-1

)∈ G1×(2+k1+v−k2)

drerID =

[(rj · (I|k1 · h + f|k1)) tRj , rj · (g), (rj,k+1) · (hk2+1, . . . , hv), gRj

]k1j=0

∈ G(k1+2)×(2+k1+v−k2)

ddelID =

[fj (rj · (I|k1 · h + f|k1)) tRj , rj · (g), (rj,k+1) · (hk2+1, . . . , hv), gRj

]uj=k1+1

∈ G(u−k1−1)×(2+k1+v−k2)

for random R-1 . . . Ru in Zp and r-1 . . . ru in (Zp)k1 .The idea behind this definition of ddel

ID is to embed the fi needed for delegationin the private key, but blinded in a way that maintains their utility.

Rerand(dID): We present a helper algorithm that will be useful for key delega-tion.If we have one valid key dID for a given identity ID, we can build anotherkey d′ID for the same ID, that has the same distribution as the output of al-gorithm Extract(mk, ID), and independent from dID by re-randomization. LetR′1 ∈ (Zp)1×(k1+1), R′2 ∈ (Zp)(k1+1)×(k1+1), and R′3 ∈ (Zp)(u−k1−1)×(k1+1)

be random matrices. Note that this corresponds to (k1 + 1)(u + 2) randomvalues in Zp, as in Extract. We build d′ID by :

d′ID =

Id R′1 00 R′2 00 R′3 Id

· dID =

ddecID +R′1 · drer

ID

R′2 · drerID

ddelID +R′3 · drer

ID

Let R1, R2, R3 be the matrices giving the previous decomposition of dID:

dID =

Id R1 00 R2 00 R3 Id

·MID

thus we have :

d′ID =

Id R′1 00 R′2 00 R′3 Id

· Id R1 0

0 R2 00 R3 Id

·MID =

MdecID + (R′1 ·R2 +R1) ·M rer

ID

R′2 ·R2 ·M rerID

MdelID + (R′3 ·R2 +R3) ·Mdel

ID

It is not hard to see that if R2 is full rank, then d′ID is distributed as the outputof algorithm Extract(mk,ID) . If R2 is not full ranked then d′ID is distributeddifferently (we then say that dID is ill-formed), but since this happens withprobability about 1/p (which is negligible), d′ID is then distributed staticallyclose to the distribution of Extract(mk, ID).

Derive(dID|k−1, ID): To derive the key dID for ID, first decompose k as (k1, k2)according to our convention. There are two cases:

1. If k−1 is expressed (k1, k2−1), namely k and k−1 have the same row indexk1, we write the columns of dID|k−1 as :

dID|k−1 =(D[Gi]k1i=0

Hk2

[Hi

]vi=k2+1

T

)In this case, to generate dID from dID|k−1, set

dtempID =

(D +Hk2

[Gi]k1i=0

[Hi

]vi=k2+1

T

)Then if matrix dID|k−1 is a proper non ill-formed key, so is dtemp

ID , for the samerandom values. We can thus output Rerand(dtemp

ID ), which is a valid key fol-lowing the same distribution as if it was directly generated by Extract(mk, ID).

2. If the row indices differ, then necessarily k− 1 = (k1 − 1, v) and k = (k1, 1).Lets write the private key for ID|k−1 as

dID|k−1 =

D G1 · · · Gk1−1 TD0 G0,1 · · · G0,k1−1 T0

......

. . ....

...Du Gu,1 · · · Gu,k1−1 Tu

First, we define dtemp

ID (with v more columns) :

dtempID =

D G1 · · · Gk1−1 TD0 G0,1 . . . G0,k1−1 T0

......

. . ....

...Dk1−1 Gk1−1,1 · · · Gk1−1,k1−1 Tk1−1

hI(k1,1)1 Dk1 Gk1,1 · · · Gk1,k1−1 g h2 · · · hv Tk1

Dk1+1 Gk1+1,1 . . . Gk1+1,k1−1 Tk1+1

......

. . ....

...Du Gu,1 · · · Gu,k1−1 Tu

Also in this matrix, blanks correspond to cells containing the group identityg0.Intuitively, we moved the highlighted line from the delegation part to there-randomization part of the key. Let R1, R2, R3 be the matrices giving theprevious decomposition of dID|k−1, and R′1, R

′2, R

′3 for dtemp

ID , we have :

R′1 =(R1 0

), R′2 =

0

R2

...0

(R3)1 1

, R′3 =

(R3)2 0...

...(R3)k1−2 0

Note that if R2 rank is k1+1, then rank of R′2 is k1+2, so if dID|k−1 isn’t an ill-formed key, dtemp

ID isn’t ill-formed either. We can thus output Rerand(dtempID ),

which is a valid key following the same distribution as if it was directlygenerated by Extract(mk, ID).

Encrypt(PP, ID,M): To encrypt a message M ∈ GT under the public keyID = (I1, . . . , Ik) ∈ (Z∗p)k where k = (k1, k2), pick a random s ∈ Zp andoutput

CT =(e(g1, g2)s ·M, gs, (s) · (I · h + f), ts

)∈ Gt ×G2+u.

Note that encrypting for ID = (I1, . . . , Ik) ∈ (Z∗p)k is the same than encrypt-ing for ID′ = (I1, . . . , Ik, 0, . . . , 0). Also note that this does not create anyconflict, since a proper identity should not contain any 0.

Decrypt(ddecID ,CT): Consider an identity ID = (I1, . . . , Ik) with k = (k1, k2). To

decrypt a ciphertext CT = (A,B,C1, . . . , Cu, Z) using the decryption partof the private key ddec

ID = (a0, b1, . . . , bk1 , ck2+1, . . . , cv, z), output

M ′ = A · e(Z, z) ·k1∏i=1

e(Ci, bi)/e(B, a0).

Note that the decryption private key components ck2+1, . . . , cv are not usedfor decryption.

Correctness We briefly check that decryption is correct. With the same notationsas in Decrypt:

e(B, a0) = e(gs , g0 r-1 · (I · h + f) tR-1) = e(gs , g0) · e(gs , tR-1) ·k1∏i=1

e(gs , (I · h + f)r-1,ii )

= e(g0 , g)s · e(ts , gR-1) ·k1∏i=1

e((I · h + f)si , gr−1,i) = e(g0 , g)s · e(Z, z) ·

k1∏i=1

e(Ci, bi)

If CT is the encryption of M under the public key ID, then A = e(g0, g)s ·M ,and hence we have M ′ = M .

C.4 Security Reduction

The following theorem states security of our system under the Decision Pv-BDHassumption.

Theorem 3 (HIBE security). Our HIBE is selective-ID anonymous assum-ing the Decision Pv-BDH assumption holds for the bilinear group generator G. Inparticular, for all PPT algorithms B and all ` > 0, the function AdvaIND-sIDCPA

B (λ)is a negligible function of λ.

The proof use same techniques than our dHVE security proof, describedin appendix B, combined with techniques used in [BBG05] for the underlyingnon-anonymous HIBE. The details can be made available to the reviewers uponrequest.