Keywords

1 Introduction

Identity-based encryption (IBE) [55] is a public-key paradigm where users’ private keys are generated by trusted authorities and derived from some easy-to-remember string (like an email address) that serves as a public key so as to simplify key management. Attribute-based encryption (ABE) [36, 54] is a powerful extension of IBE where ciphertexts are labeled with a set of descriptive attributes (e.g., “hiring committee”, “admin”, ...) in such a way that decryption works whenever these attributes satisfy an access policy which is hard-coded in the decryption key.

Functional encryption (FE) [15, 54] is an extreme generalization of IBE, where a master private key SK allows deriving sub-keys \(SK_F\) associated with functions F. Given an encryption C of a message X, a sub-key \(SK_F\) allows computing F(X) while revealing nothing else about X. The message \(X=(\mathsf {ind},M)\) usually consists of an index \(\mathsf {ind}\), which is essentially a set of attributes, and a message M, which is sometimes called “payload”. While the latter is always computationally hidden, the index \(\mathsf {ind}\) of a ciphertext may be public or private. Not surprisingly, schemes in the public index setting tend to be significantly more efficient in terms of ciphertext and key sizes.

In the private-index setting, anonymous IBE [10, 17] is an example of functional encryption for the equality testing functionality. In the public [36, 54] and private-index [39] cases, ABE can be cast as another particular flavour of FE, where private keys are associated with expressive access policies. These primitives provide fine-grained access control [54] or privacy-preserving searches over encrypted data [1, 10]. In its key-policy (KP-ABE) flavour, ABE involves private keys associated with a possibly complex Boolean expression F and, if the ciphertext encrypts the message \(X=(\mathsf {ind},M)\), the private key \(SK_F\) reveals M if and only if \(F(\mathsf {ind})=1\). Ciphertext-policy ABE (CP-ABE) schemes proceed the other way around: ciphertexts are labeled with a policy F; private keys are associated with an attribute set \(\mathsf {ind}\) and decryption succeeds whenever \(F(\mathsf {ind})=1\).

The usual “collusion-resistance” requirement captures the intuition that no collection of private keys should make it possible to decrypt a ciphertext that none of these keys can individually decrypt. While properly defining the security of FE turns out to be non-trivial [15], the literature usually distinguishes selective adversaries [18] – that have to declare the index of the challenge ciphertext \(\mathsf {ind}^\star \) upfront (even before seeing the master public key) – from adaptive adversaries, which can choose \(\mathsf {ind}^\star \) after having made a number of private key queries for functions of their choice.

In terms of expressiveness, a major challenge is certainly to efficiently evaluate any polynomial-time-computable function F over encrypted data. While theoretical solutions achieve this goal using the obfuscation machinery [32], practical instantiations of functional encryption are only known for very restricted classes of functions (such as IBE [11, 58] or ABE [39]) for the time being.

Even for particular functionalities and selective adversaries, proving security is challenging when we seek to optimise the size of ciphertexts and keys. For example, squeezing many attributes in the same ciphertext component often comes at the price of larger private keys [4, 6] or security proofs under fancy q-type assumptions [9, 13] (or both). Likewise, short private keys and public parameters [40, 51] often entail strong, variable-size assumptions. Eventually, constant-size ciphertexts or keys (“constant” meaning that it only depends on the security parameter and not on the number of adversarial queries or features of the system) often translate into non-constant-size assumptions. In some situations, information theoretic arguments [31] even rule out the possibility of simultaneously achieving constant-size ciphertexts and keys, no matter which assumption is considered.

Here, we restrict ourselves to specific functionalities for which we are interested in proving the security of compact schemes under well-studied, constant-size assumptions. By “compact”, we mean that ciphertexts can be comprised of a constant number of group elements – no matter how many attributes or users are associated with them – without inflating the private key size. In particular, private keys should be no longer than in realisations of the same functionality without short ciphertexts. Finally, we aim at avoiding the caveat of relying on variable-size, q-type assumptions, which should notoriously be used with caution [24].

We achieve this goal for two natural extensions of IBE, which are known as identity-based broadcast encryption (IBBE) [2, 52] and fuzzy identity-based encryption (FIBE) [54]. In the former, ciphertexts are encrypted for a list of identities. The latter is an ABE for policies consisting of a single threshold gate: i.e., ciphertexts and private keys both correspond to a set of attributes and decryption succeeds whenever the two sets have a sufficiently large intersection. In fact, IBBE and FIBE can both be seen as special cases of CP-ABE for policies consisting of a single gate: an IBBE is nothing but a CP-ABE for one OR gate, which is implied by FIBE for 1-out-of-n gates. However, considering the two primitives separately allows obtaining shorter private keys in the IBBE case.

1.1 Our Contribution

We describe the first IBBE system with a security proof under constant-size assumptions and that simultaneously features constant-size ciphertexts and private keys. In our scheme, only the size of public parameters depends on the maximal number n of receivers per ciphertext. Users’ private keys only consist of a single(!) group element while ciphertexts are only longer than plaintexts by 2 elements of a composite-order group. We prove selective security in the standard model under subgroup assumptions [42] in bilinear groups of order \(N=p_1p_2p_3\). In comparison, all earlier IBBE realisations with short ciphertexts either incur O(n)-size private keys [2, 5, 14, 47] or combine the random oracle model [8] with very ad hoc assumptions [26, 52] tailored to the result to be proved.

As a second contribution, we extend our IBBE scheme into a fuzzy IBE system with O(1)-size ciphertexts and private keys made of \(O(\ell )\) group elements, where \(\ell \) is the maximal number of attributes per identity. Our FIBE scheme thus asymptotically achieves the same private key size as [54] with the benefit of constant-size ciphertexts, regardless of the number of ciphertext attributes. In contrast, except [37], previously known KP-ABE systems with short ciphertexts either inflate private keys by a factor \(O(\ell )\) [6, 7, 47, 49] or are restricted to small attribute universes [38].

While our constructions rely on composite order groups where pairings are rather expensive to compute [30], they only require two pairing evaluations on behalf of the receiver (and no pairing on the sender’s side). Our schemes are proved selectively secure using the Déjà Q technique of Chase and Meiklejohn [22], which was re-used by Wee [62] and refined by Chase et al. [23]. A detailed comparison is shown in Table 1. See the full paper [33] for more discussion.

Table 1. Comparison among compact IBBE and FIBE. For IBBE, n is the maximum number of recipients; for FIBE, n is the maximum size of attribute set and \(\tau \) is the threshold. We use notations—\(\mathsf {CT}\): ciphertext; \(\mathsf {SK}\): secret key; #dec: cost of decryption; \(\mathbb {G}_N\): symmetric pairing group with composite order N; \(\mathbb {G}_1\), \(\mathbb {G}_2\): source groups of an asymmetric pairing group of prime order p; [P]: a pairing operation; [M]: scalar multiplication on source groups; aID: adaptive/full security; sID: selective security; na-sID: selective security with non-adaptive key extraction queries; saID: semi-adaptive security; Static: static assumption in \(\mathbb {G}_N\); GGM: generic group model; RO: random oracle model.
Full size table

1.2 Overview of Our Techniques

Our identity-based broadcast encryption scheme is obtained by instantiating (a variant of) Delerablée’s IBBE [26] in composite order groups and providing a direct security proof, analogously to Wee’s IBE [62]. In prime order groups, Delerablée’s construction [26] is proved selectively secure in the random oracle model under a highly non-standard q-type assumption, where q simultaneously depends on the number of private key queries and the maximal number of receivers per ciphertext. While this assumption is a special case of the Uber assumption of Boneh, Boyen and Goh [9], it seems to escape the family of assumptions that reduce the constant-size subgroup assumptions via the framework of Chase, Maller and Meiklejohn [23]: in Sect. 3.1, we indeed explain why the results of [23] alone do not immediately guarantee the security of Delerablée’s IBBE in composite order groups.Footnote 1 Moreover, even if they did, a direct instantiation of [26] in composite order groups would only be guaranteed to be secure in the random oracle model.Footnote 2 In contrast, we give a direct proof of selective security in the standard model.

Just like [26, 62], our scheme uses the private key generation technique of the Sakai-Kasahara IBE [53], which computes inversions in the exponent. Letting \(\mathbb {G}\) be a cyclic group of order \(N=p_1p_2p_3\) with subgroups \(\mathbb {G}_{p_i}\) of order \(p_i\) for each \(i \in \{1,2,3\}\), if \(g^\gamma \in \mathbb {G}_{p_1}\) and \(G_i=g^{(\alpha ^i)} \in \mathbb {G}_{p_1}\) are part of the public parameters, a private key for the identity \(\mathsf {id}\) consists of \(\mathsf {SK}_{\mathsf{id}}=u^{\gamma /(\alpha + \mathsf {id})} \cdot X_{p_3}\), where \(u \in \mathbb {G}_{p_1}\) belongs to the master secret key and \(X_{p_3} \in _R \mathbb {G}_{p_3}\). If \(S=\{\mathsf{id}_1,\ldots ,\mathsf{id}_\ell \}\) denotes the set of authorised receivers, one of the ciphertext components packs their identities into one group element \(g^{s \cdot \prod _{\mathsf{id}\in S} (\alpha + \mathsf{id})}\), which can be seen as a randomised version of Nguyen’s accumulator [45]. As shown in [26], by introducing \(g^{\gamma \cdot s}\) in the ciphertext and blinding the message as \(M \oplus \mathsf{H}(e(g,u)^{\gamma \cdot s} )\), we can enable decryption by exploiting the divisibility properties of the polynomial \(p_S(\alpha ) = \prod _{\mathsf{id}\in S} (\alpha + \mathsf{id})\), analogously to [45]. Like the security proof of Wee’s IBE [62], our proof proceeds by first introducing \(\mathbb {G}_{p_2}\) components in ciphertexts. Then, following the technique of [22], it uses the entropy of \(\alpha , \gamma \bmod p_2\) – which are information theoretically hidden by \(g^\gamma \) and \(G_i=g^{(\alpha ^i)} \) – to gradually introduce \(\mathbb {G}_{p_2}\) components of the form \(g_2^{\sum _{j=1}^k \tilde{\gamma } \cdot r_j \cdot p_S(\alpha _j) / (\alpha _j + \mathsf{id}) }\), where \(\{r_j\}_{j=1}^k\) are shared by all private keys. At each step, we can increase the number of terms in the exponent so that, when k is sufficiently large, all keys \(\mathsf {SK}_{\mathsf{id}}\) have independent random components of order \(p_2\). At this point, an information theoretic argument shows that the ciphertext statistically hides the plaintext.

The crucial step of the proof consists of arguing that the newly introduced term in the sum \({\sum _{j=1}^k r_j \cdot p_S(\alpha _j) / (\alpha _j + \mathsf{id}) }\) is statistically independent of the public parameters. At this step, our information theoretic argument differs from Wee’s [62] because, in our IBBE system, public parameters contain additional group elements of the form \(U_i=u^{ \alpha ^i } \cdot R_{3,i}\), which inherit \(\mathbb {G}_{p_2}\) components that depend on \( {\sum _{j=1}^k r_j \cdot \alpha _j^i \bmod p_2}\), for the same coefficients \(r_j \in \mathbb {Z}_{p_2}\) as those showing up in private keys. Since private keys and public key components \(\{U_i\}_{i=1}^n\) have correlated semi-functional componentsFootnote 3 that share the same \(\{r_j \bmod p_2 \}_{j=1}^k\), we have to consistently maintain this correlation at all steps of the sequence of game and argue that, when we reach the final game, the \(\mathbb {G}_{p_2}\) components of \(\mathsf {SK}_{\mathsf{id}_1},\ldots , \mathsf {SK}_{\mathsf{id}_q}\) and \(\{ U_i\}_{i=1}^n\) are uncorrelated in the adversary’s view. In Wee’s constructions [62], this is done by arguing that matrices of the form \((\alpha _j^i)_{i,j \in [q]}\) or \(\big ( {1}/(\alpha _j + \mathsf{id}_i) \big )_{i,j}\) are invertible. Here, we are presented with more complex square matrices that involve the two kinds of entries and also depend on the polynomial \(p_{S^\star }(\alpha ) = \prod _{\mathsf{id}\in S^\star } (\alpha + \mathsf{id})\), where \(S^\star \) is the set of the target identities. More precisely, these matrices contain sub-matrices of the form \(\big ( p_{S^\star }(\alpha _i)/(\alpha _i + \mathsf{id}_j) \big )_{i,j}\), where \(\mathsf{id}_j\) denotes the j-th private key query. We use the property that the overall square matrices are invertible over \(\mathbb {Z}_{p_2}\) as long as none of the first-degree \((\alpha + \mathsf{id}_j)\) divides \( p_{S^\star }(\alpha )\) (i.e., \(\mathsf{id}_j \not \in S^\star \) for all private key queries \(\mathsf{id}_j\)). When this is the case, we are guaranteed that the \(\mathbb {G}_{p_2}\) components of ciphertexts, private keys and public parameters are i.i.d. in the adversary’s view.

Our fuzzy IBE construction is an adaptation of the system described by Herranz, Laguillaumie and Ràfols [4, 37] in prime order groups, which is itself inspired by the dynamic threshold encryption primitive of Delerablée and Pointcheval [27] and relies on a similarly strong assumption. The FIBE system of [37] modifies [26, 27] by randomizing the generation of private keys. In our construction, private keys for an attribute set \(\{\mathsf{id}_1,\ldots ,\mathsf{id}_\ell \}\) similarly consist of

$$\begin{aligned} \big ( K_i = u^{\frac{\gamma }{\alpha + \mathsf{id}_i}} \cdot X_{3,i} \big )_{i =1}^\ell ,\qquad \big ( K'_i = u^{\alpha ^{i}} \cdot X'_{3,i} \big )_{i = 1}^{n-1},\qquad K_0 = u \cdot u_0 \cdot X_{3,0}, \end{aligned}$$

where \(u \in _R \mathbb {G}_{p_1}\) and \(X_{3,i} \in _R \mathbb {G}_{p_3}\) are freshly chosen for each key and \(u_0 \in \mathbb {G}_{p_1}\) is a master secret key component which is committed via \(e(g,u_0)^\gamma \) in the master public key. Intuitively, the public parameters \(u_0^{\alpha ^i} \cdot R_{3,i} \) of Delerablée’s IBBE are now replaced by similar-looking private key components \(K'_i = u^{\alpha ^{i}} \cdot X'_{3,i} \) for random \(u \in _R \mathbb {G}_1\) that are used in \(K_0\) to blind the master secret key \(u_0\) (collusion-resistance is ensured by the fact that distinct keys involve fresh randomizers u).

Due to the strong structural similarity, the proof for the selective security of our fuzzy IBE can be viewed as an extension of that for our IBBE system. From the viewpoint of reduction, the fresh \(u \in \mathbb {G}_{p_1}\) in each secret key allows us to correspond each secret key to a fresh IBBE instance and analyse them in an independent fashion. In particular, by considering \(K_i\) as \(\mathsf {SK}_{\mathsf{id}_i}\) and \(K'_i\) as \(U_i\), we can apply the proof method of our IBBE to introduce independent random \(\mathbb {G}_{p_2}\) components in all these components and \(K_0\) (with \(u_0 \cdot X_{3,0}\)). As discussed earlier, the core step is again to argue the invertibility of a matrix of some special form for each secret key. Although the matrices we are considering now look like those for the IBBE system, the situation is actually more complex. More specifically, the matrices contain sub-matrices of the form \((p_{S^\star ,\tau ^\star }(\alpha _i)/(\alpha _i + \mathsf{id}_j))_{i,j}\) where \(p_{S^\star ,\tau ^\star }(\alpha ) = \prod _{\mathsf{id}\in S^\star } (\alpha + \mathsf{id}) \cdot \prod _{i \in [\delta ]}(\alpha + d_i)\) where \(S^\star \) is the set for the target fuzzy identity, \((d_i)_i\) is a set of dummy identities and \(\delta \) depends on the target threshold \(\tau ^{*}\). Unlike the IBBE case, there can be an \(\mathsf{id}_j\in \{\mathsf{id}_1,\ldots ,\mathsf{id}_\ell \}\) such that \(\mathsf{id}_j \in S^\star \) so that \((\alpha + \mathsf{id}_j)\) divides \(p_{S^\star ,\tau ^\star }(\alpha )\) in the FIBE case. This prevents us from directly applying our previous result on the matrices. Instead, we will prove the property that these matrices are still invertible as long as the number of such \(\mathsf{id}_j\) do not exceed the target threshold \(\tau ^{*}\). Inspired by the recent proof for IBE in the multi-instance setting [19], we can in fact change the distributions of all secret keys independently but simultaneously using the random self-reducibility of decisional subgroup assumptions. Once we have independent random \(\mathbb {G}_{p_2}\) component in \(K_0\) in each secret key, we then introduce semi-functional component (in \(\mathbb {G}_{p_2}\)) for the master secret key component \(u_0\) and show that it will be hidden by the random \(\mathbb {G}_{p_2}\) component in \(K_0\). This means the semi-functional component of \(u_0\) will only appear in the challenge ciphertext which is adequate for proving the selective security of our fuzzy IBE system.

1.3 Related Work

Broadcast encryption was introduced by Fiat and Naor [29] and comes either in combinatorial [43] or algebraic flavors [13, 34, 40, 44, 59]. One of the most appealing tradeoffs was given in the scheme of Boneh, Gentry and Waters [13], which features short ciphertexts and private keys but linear-size public keys in the total number of users. While its security was initially proved under a parameterised assumption, recent extensions [23, 62] of the Déjà Q framework [22] showed how to prove the security (against static adversaries) of its composite-order-group instantiations under constant-size subgroup assumptions. Boneh et al. suggested a variant [16] of the BGW scheme [13] with polylogarithmic complexity in all metrics using multi-linear maps. Unfortunately, the current status of multi-linear maps does not enable secure instantiations of [16] for now (see, e.g., [25]).

Identity-based broadcast encryption was formally defined by Abdalla, Kiltz and Neven [2] and independently considered by Sakai and Furukawa [52]. One of the salient advantages of IBBE over traditional public-key broadcast encryption is the possibility of accommodating an exponential number of users with polynomial-size public parameters. IBBE was recently used [28] in the design of efficient 0-RTT key exchange protocols with forward secrecy. Abdalla et al. [2] gave a generic construction with short ciphertexts and private keys of size \(O(n^2)\), where n is the maximal number of receivers. Sakai and Furukawa [52] suggested a similar construction to [26] with security proofs in the generic group and random oracle model. Boneh and Hamburg [14] obtained a system with O(1)-size ciphertexts and O(n)-size keys. Using the Déjà Q technique, Chen et al. [20] described an identity-based revocation mechanism [40] with short ciphertexts and private keys under constant-size assumptions. The aforementioned constructions were all only proven secure against selective adversaries. Gentry and Waters [34] put forth an adaptively secure construction based on q-type assumptions while Attrapadung and Libert [5] showed a fully secure variant of [14] under simple assumptions. To our knowledge, the only IBBE realisations that simultaneously feature constant-size ciphertexts and private keys are those of [26, 52], which require highly non-standard assumptions and the random oracle model. As mentioned by Derler et al. [28], the short ciphertexts and private keys of Delerablée’s scheme [26] make it interesting to instantiate their generic construction of Bloom Filter Encryption, which in turn implies efficient 0-RTT key exchange protocols. Until this work, even for selective adversaries, it has been an open problem to simultaneously achieve short ciphertext and private keys without resorting to variable-size assumptions.

Attribute-based encryption was first considered in the seminal paper by Sahai and Waters [54]. Their fuzzy IBE primitive was later extended by Goyal et al. [36] into more expressive forms of ABE, where decryption is possible when the attribute set of the ciphertext satisfies a more complex Boolean formula encoded in the private key. After 2006, a large body of work was devoted to the design of adaptively secure [7, 41, 46,47,48,49, 57] and more expressive ABE systems [12, 35, 40, 50, 60, 61]. In contrast, little progress has been made in the design of ABE schemes with short ciphertexts. The first reasonably expressive ABE systems with constant-size ciphertexts were given in [4, 6, 37] under q-type assumptions. The solution of Herranz et al. [37] is a fuzzy IBE (i.e., a CP-ABE system for one threshold gate) with private keys of size O(n) where n is the maximal number of attributes per ciphertext. The more expressive KP-ABE systems of [4, 6] support arbitrary Boolean formulas, but enlarge the private keys of [36] by a factor n. The construction of [38, Sect. 3.4] eliminates the upper bound on the number of ciphertext attributes, but lengthens private keys by a factor |U|, where U is the universe of attributes. Several follow-up works improved upon [6] by proving security under simple assumptions [21, 56] or achieving full security [7]. However, all known KP-ABE schemes with short ciphertexts under simple assumptions suffer from similarly large private keys. While our scheme only supports one threshold gate, it turns out to be the first solution with short ciphertexts under simple assumptions that avoids blowing up private keys by a factor O(n).

2 Preliminaries

Notation. We write \({x_1,\ldots ,x_k {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathcal {X}}\) to indicate that \(x_1,\ldots ,x_k\) are sampled independently and uniformly from the set \(\mathcal {X}\). For a PPT algorithm \(\mathcal {A}\), \({y {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathcal {A}(x)}\) means that y is chosen according to the output distribution of \(\mathcal {A}\) on input x. For integers \(a < b\), [ab] denotes the set \(\{x \in \mathbb {Z}: a \le x \le b\}\) and we let \([b] = [1,b]\). If \(\mathbb {G}\) is a cyclic group, \(\mathbb {G}^\times \) denotes the set of generators of \(\mathbb {G}\).

2.1 Composite-Order Pairings and Hardness Assumptions

A (symmetric) composite-order pairing ensemble generator \(\mathsf {GroupGen}()\) is an algorithm that inputs a security parameter \(\eta \) and an integer m and returns an \((m+3)\)-tuple \(\mathcal {G}= (p_1,\ldots ,p_m,\mathbb {G},\mathbb {G}_T,e)\) where \(\mathbb {G}\) and \(\mathbb {G}_T\) are cyclic groups of order \(N=p_1 \cdots p_m\) (a square-free, hard-to-factor integer) and \(e: \mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\) is a non-degenerate and efficiently computable bilinear map. The primes are chosen so that \(p_i > 2^\eta \) for \(i \in \{1,2,\ldots ,m\}\). We will use hardness assumptions which require the factorisation of N to remain hidden. Given \(\mathcal {G}= (p_1,\ldots ,p_m,\mathbb {G},\mathbb {G}_T,e)\), let \(\mathcal {G}_\mathrm{pub}= (N,\mathbb {G},\mathbb {G}_T,e)\) denote the public description of \(\mathcal {G}\) where \(N = p_1 \cdots p_m\) and we assume that \(\mathbb {G},\mathbb {G}_T\) contain respective generators (of the full groups). Letting \(\mathbb {G}_{p_i}\) be the subgroup of order \(p_i\) of \(\mathbb {G}\), we denote elements of \(\mathbb {G}_{p_i}\) with subscript i for \(i\in [m]\). We now describe decisional subgroup (DS) assumptions w.r.t. \({(\mathcal {G}= (p_1,p_2,p_3,\mathbb {G},\mathbb {G}_T,e)) {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {}}} \mathsf {GroupGen}(\eta ,3)}\), which is stated in terms of two distributions: \(\mathcal {D},T_1\) and \(\mathcal {D},T_2\). We define \(\displaystyle \mathsf{Adv}_{{\mathcal {G}},\mathrm{DS}}^{\mathscr {B}} (\eta ) = |\Pr [\mathscr {B}(\mathcal {D},T_1) = 1]- \Pr [\mathscr {B}(\mathcal {D},T_2) = 1]|\) to be the advantage of a distinguisher \(\mathscr {B}\) against DS. We now describe \(\mathcal {D},T_1,T_2\) for the assumptions we use.

Assumption DS1

Pick generators \({g_1 {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {G}_{p_1}^\times }\) and \({g_3 {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {G}_{p_3}^\times }\). Define \(\mathcal {D} = (\mathcal {G}_\mathrm{pub},g_1,g_3)\), \({T_1 {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {G}_{p_1}}\) and \({T_2 {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {G}_{p_1p_2}}\). DS1 holds if for all PPT \(\mathscr {B}\), \(\mathsf{Adv}_{{\mathcal {G}},\mathrm{DS1}}^{\mathscr {B}} (\eta )\) is negligible in \(\eta \).

Assumption DS2

Pick \({g_1 {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {G}_{p_1}^\times }\), \({g_3 {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {G}_{p_3}^\times }\), \({h_{12} {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {G}_{p_1p_2}}\) and \(h_{23} {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {G}_{p_2p_3}\). Define \(\mathcal {D} = (\mathcal {G}_\mathrm{pub},g_1,g_3,h_{12},h_{23})\), \({T_1 {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {G}_{p_1p_3}}\) and \({T_2 {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {G}_{p_1p_2p_3}}\). The DS2 assumption holds if for all PPT \(\mathscr {B}\), \(\mathsf{Adv}_{{\mathcal {G}},\mathrm{DS2}}^{\mathscr {B}} (\eta )\) is negligible in \(\eta \).

2.2 Identity-Based Broadcast Encryption (IBBE)

Definition 1

(IBBE). An IBBE scheme is defined by probabilistic algorithms \(\mathsf{Setup}\), \({\mathsf{KeyGen}}\), \({\mathsf{Encrypt}}\) and \({\mathsf{Decrypt}}\). The identity space is denoted by \(\mathcal {I}\) and the message space is denoted by \(\mathcal {M}\).

  • \(\mathsf{Setup}(1^\lambda , 1^n)\): Takes as input a security parameter \(\lambda \), the maximum number \(n \,\,(=\mathsf {poly}(\lambda ))\) of recipient identities in a broadcast and generates the public parameters \({\mathsf {PP}}\) and the master secret \(\mathsf {MSK}\). The algorithm also defines the identity space \(\mathcal {I}\) and message space \(\mathcal {M}\).

  • \({\mathsf{KeyGen}}(\mathsf {MSK},\mathsf{id})\): Inputs an identity \(\mathsf{id}\) and \(\mathsf {MSK}\); outputs a key \(\mathsf {SK}_{\mathsf{id}}\) for \(\mathsf{id}\).

  • \({\mathsf{Encrypt}}({\mathsf {PP}},S \subseteq \mathcal {I},m\in \mathcal {M})\): Takes as input the public parameters and a set of identities S intended to receive the message m. If \(|S|\le n\), the algorithm outputs the ciphertext \(\mathsf {CT}\).

  • \({\mathsf{Decrypt}}({\mathsf {PP}},S,\mathsf {CT},\mathsf{id},\mathsf {SK}_{\mathsf{id}})\): Inputs \({\mathsf {PP}}\), a set \(S = \{\mathsf{id}_1,\ldots ,\mathsf{id}_\ell \}\), an identity \(\mathsf{id}\), a secret key \(\mathsf {SK}_{\mathsf{id}}\) for \(\mathsf{id}\), a ciphertext \(\mathsf {CT}\) and outputs a message \(m' \in \mathcal {M}\) if \(\mathsf{id}\in S\) and otherwise outputs \(\bot \).

Correctness. The IBBE scheme satisfies correctness if, for all sets \(S \subseteq \mathcal {I}\) with \(|S| \le n\), for all identities \(\mathsf{id}_i \in S\), for all messages \(m \in \mathcal {M}\), if \({({\mathsf {PP}},\mathsf {MSK}) {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathsf{Setup}(1^\lambda ,1^n)}\), \({\mathsf {SK}_{\mathsf{id}_i} {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} {\mathsf{KeyGen}}(\mathsf {MSK},\mathsf{id}_i)}\) and \(\mathsf {CT}{\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} {\mathsf{Encrypt}}({\mathsf {PP}},S,m)\), then we have \(\Pr [m = {\mathsf{Decrypt}}({\mathsf {PP}},S,\mathsf {CT},\mathsf{id}_i,\mathsf {SK}_{\mathsf{id}_i})] = 1\).

Definition 2

(IBBE Security). An IBBE system provides selective security if no PPT adversary \(\mathscr {A}\) has non-negligible advantage in the following game.

Initialise: \(\mathscr {A}\) commits to a target set of identities \(S^{*} = \{\mathsf{id}_1^{*},\ldots ,\mathsf{id}_{\ell ^{*}}^{*}\}\).

Setup: The challenger runs the \(\mathsf{Setup}\) algorithm of and gives \({\mathsf {PP}}\) to \(\mathscr {A}\).

Key Extraction Phase 1: \(\mathscr {A}\) makes key extraction queries. For a query on an identity vector \(\mathsf{id}\) such that \(\mathsf{id}\notin S^{*}\), the challenger runs algorithm and responds with a key \(\mathsf {SK}_{\mathsf{id}}\).

Challenge: \(\mathscr {A}\) provides two messages \(m_0,m_1\). The challenger chooses a bit \(\beta \) uniformly at random from \(\{0,1\}\), computes and returns \(\mathsf {CT}^{*}\) to \(\mathscr {A}\).

Key Extraction Phase 2: \(\mathscr {A}\) makes more key extraction queries with the restriction that it cannot query a key for any identity in \(S^{*}\).

Guess: \(\mathscr {A}\) outputs a bit \(\beta ^{\prime }\). If \(\beta =\beta '\), then \(\mathscr {A}\) wins the game. The adversary \(\mathscr {A}\)’s advantage is given by the distance

2.3 Fuzzy Identity-Based Encryption (FIBE) 

Definition 3

(FIBE). A fuzzy IBE scheme is defined by probabilistic algorithms – \(\mathsf{Setup}\), \({\mathsf{KeyGen}}\), \({\mathsf{Encrypt}}\) and \({\mathsf{Decrypt}}\). The identity space is denoted by \(\mathcal {I}\) and the message space is denoted by \(\mathcal {M}\).

  • \(\mathsf{Setup}(1^\lambda , 1^n)\): Takes as input a security parameter \(\lambda \), the maximum size \(n \,\,(=\mathsf {poly}(\lambda ))\) of sets associated with ciphertexts and generates the public parameters \({\mathsf {PP}}\) and the master secret \(\mathsf {MSK}\). The algorithm also defines the identity space \(\mathcal {I}\) and message space \(\mathcal {M}\).

  • \({\mathsf{KeyGen}}(\mathsf {MSK},S \subseteq \mathcal {I})\): Inputs a set S and \(\mathsf {MSK}\); outputs a secret key \(\mathsf {SK}_{S}\) for S.

  • \({\mathsf{Encrypt}}({\mathsf {PP}},S \subseteq \mathcal {I},\tau ,m \in \mathcal {M})\): Takes as input the public parameters \({\mathsf {PP}}\), a set of identities S along with a threshold \(\tau \) and a message m. If \(\tau \le |S| \le n\), the algorithm outputs the ciphertext \(\mathsf {CT}_{S,\tau }\).

  • \({\mathsf{Decrypt}}({\mathsf {PP}},S,\tau ,\mathsf {CT}_{S,\tau },S',\mathsf {SK}_{S'})\): This algorithm inputs the public parameters \({\mathsf {PP}}\), a set \(S \subseteq \mathcal {I}\) with a threshold \(\tau \) and a ciphertext \(\mathsf {CT}_{S,\tau }\) associated with them, another set \(S' \subseteq \mathcal {I}\) and its corresponding secret key \(\mathsf {SK}_{S'}\), outputs a message \(m' \in \mathcal {M}\) if \(|S \cap S'| \ge \tau \) and \(\bot \) otherwise.

Correctness. The FIBE scheme is correct if, for all sets \(S \subseteq \mathcal {I}\), all thresholds \(\tau \le |S| \le n\), all \(S' \in \mathcal {I}\) satisfying \(|S \cap S'|\ge \tau \), all \(m \in \mathcal {M}\), when \({({\mathsf {PP}},\mathsf {MSK}) {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathsf{Setup}(1^\lambda ,1^n)}\), \({\mathsf {SK}_{S'} {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} {\mathsf{KeyGen}}(\mathsf {MSK},S')}\) and \({\mathsf {CT}_{S,\tau } {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} {\mathsf{Encrypt}}({\mathsf {PP}},S,\tau ,m)}\), then \(\Pr [m ={\mathsf{Decrypt}}({\mathsf {PP}},S,\tau ,\mathsf {CT}_{S,\tau },S',\mathsf {SK}_{S'})] = 1\).

Definition 4

(FIBE Security). A FIBE system provides selective security if no PPT adversary \(\mathscr {A}\) has non-negligible advantage in the following game.

Initialise: \(\mathscr {A}\) commits to a target set \(S^{*} \subseteq \mathcal {I}\) and threshold \(\tau ^{*}\) satisfying \(\tau ^{*} \le |S^{*}| \le n\).

Setup: The challenger runs the \(\mathsf{Setup}\) algorithm of and gives \({\mathsf {PP}}\) to \(\mathscr {A}\).

Key Extraction Phase 1: \(\mathscr {A}\) makes a number of key extraction queries. For a query on \(S \subseteq \mathcal {I}\) such that \( | S^{*} \cap S | < \tau ^{*}\), the challenger runs and outputs \(\mathsf {SK}_S\).

Challenge: \(\mathscr {A}\) provides two messages \(m_0,m_1\). The challenger chooses \({\beta {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \{0,1\}}\), computes and returns \(\mathsf {CT}^{*}\) to \(\mathscr {A}\).

Key Extraction Phase 2: \(\mathscr {A}\) makes more key extraction queries with the restriction that it cannot query a key for any set S such that \(|S^{*} \cap S| \ge \tau ^{*}\).

Guess: \(\mathscr {A}\) outputs a bit \(\beta ^{\prime }\). We say \(\mathscr {A}\) wins the game if \(\beta =\beta '\). The advantage of \(\mathscr {A}\) in winning the sid-cpa game is defined to be

3 Compact IBBE from Subgroup Decision Assumptions

This section describes our IBBE scheme with short ciphertexts and keys. The structure is similar to Delerablée’s IBBE [26] in asymmetric prime-order groups.

3.1 Déjà Q Framework and Its Implications on Delerablée’s IBBE

The scheme proposed by Delerablée in [26] is based on prime-order asymmetric pairings and offers constant-size ciphertexts and keys. However, its proof of security relies on random oracles and a parameterised assumption called generalised decisional Diffie-Hellman exponent (GDDHE) with instances containing \(O(q+n)\) group elements. A scheme/proof without random oracles is also suggested but at the cost of an interactive GDDHE-like assumption and a more restrictive security definition (called IND-na-sID-CPA) in which the adversary has to commit to the identities for key extract queries during the initialisation phase (in addition to the challenge identity set).

It is natural to ask whether the scheme can be lifted to the composite-order setting and proved secure based on subgroup decision assumptions via the Déjà Q framework [22, 23]. That is, we ask whether the Uber assumption in asymmetric composite-order bilinear groups defined in [23] covers the GDDHE assumption or not? The answer is negative. To see why, let us take a closer look at the Uber assumption of [23] and the (asymmetric) GDDHE-assumption. For clarity, we avoid formal descriptions of assumptions and other details.

Uber Assumption [23]. Assume \(\mathcal {G}= (N,p_1,p_2,p_3,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e)\) be an asymmetric composite-order pairing group. Let \(R(\mathbf {x}), S(\mathbf {x}), V(\mathbf {x})\) denote sets of polynomials in n variables \(\mathbf {x} = (x_1,\ldots ,x_n)\) and let \(z(\mathbf {x})\) be a polynomial in \(\mathbf {x}\). Let g be a generator of \(\mathbb {G}_1\) and \(h,\hat{h}\) be two independent generators of \(\mathbb {G}_2\). The uber assumption states that given

$$\begin{aligned} g,\hat{h},g^{R(\mathbf {x})},h^{S(\mathbf {x})}, e(g,h)^{V(\mathbf {x})}, T \end{aligned}$$

it is hard to decide if \(T = e(g,\hat{h})^{z(\mathbf {x})}\) or \(T \in _R \mathbb {G}_T\). It is known [23] that the uber assumption is implied by constant-size subgroup decision assumptions in \(\mathbb {G}_1\) and \(\mathbb {G}_2\) if \(R(\mathbf {x}),z(\mathbf {x})\) are linearly independent along other requirements (see [23, Proposition 3.9] for a formal statement).

In order to simplify our analysis, we may let \(\hat{h}^\delta = h\) for an independent exponent \({\delta {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {Z}_N}\) and re-state the uber assumption as: given

$$\begin{aligned} g,\hat{h},g^{R(\mathbf {x})},\hat{h}^{\delta \cdot S(\mathbf {x})}, e(g,\hat{h})^{\delta \cdot V(\mathbf {x})}, T \end{aligned}$$

it is hard to decide if \(T = e(g,\hat{h})^{z(\mathbf {x})}\) or \(T \in _R \mathbb {G}_T\). Here, \(\delta \cdot S(\mathbf {x}) = \{\delta \cdot s(\mathbf {x}): s \in S(\mathbf {x})\}\) and \(\delta \cdot V(\mathbf {x}) = \{\delta \cdot v(\mathbf {x}) : v \in V(\mathbf {x})\}\). We highlight that the Déjà Q framework in [23] requires the polynomials in the exponents of \(\hat{h}\) to be in the form of \(\delta \cdot \mathsf {poly}(\mathbf {x})\) with an independent \(\delta \).

Déjà Q Framework Does Not Cover GDDHE Assumption [26]. Let an asymmetric prime-order pairing configuration \(\mathcal {G}= (p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e)\). Let \(g_0,h_0\) be the respective generators of \(\mathbb {G}_1,\mathbb {G}_2\). Pick \({k,\gamma {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {Z}_p}\) and let fg be two co-prime polynomials with pairwise distinct roots of respective orders qn. The GDDHE assumption states that given

$$\begin{aligned} g_0,g_0^\gamma , g_0^{\gamma ^2}, \ldots , g_0^{\gamma ^{q-1}}, g_0^{\gamma f(\gamma )}, g_0^{k \gamma f(\gamma )},\qquad h_0,h_0^\gamma , h_0^{\gamma ^2}, \ldots , h_0^{\gamma ^{2n}}, h_0^{k g(\gamma )}, \end{aligned}$$

along with \(T \in \mathbb {G}_T\), it is hard to determine whether \(T = e(g_0,h_0)^{k f(\gamma )}\) or \(T \in _R \mathbb {G}_T\).

As a direct attempt to put GDDHE into the Déjà Q framework, we can let \(g = g_0\) and \(\hat{h} = h_0\). This means we are considering \(\mathbf {x} = (\gamma ,k)\) and

$$\begin{aligned} z(\gamma ,k) = k f(\gamma ),\ V = \emptyset ,\ R(\gamma ,k) = \{1,\gamma , \gamma ^2, \ldots , \gamma ^{q-1}, \gamma f(\gamma ), k \gamma f(\gamma )\}. \end{aligned}$$

In this case, polynomials in the exponents of \(\hat{h}\) include {\( 1,\gamma , \gamma ^2, \ldots , \gamma ^{2n}, k g(\gamma )\)}. Since both \(\gamma \) and k has appeared in \(z(\mathbf {x})\) and \(R(\mathbf {x})\), there’s no means to write these polynomials in the form of \(\delta \cdot \mathsf {poly}(\mathbf {x})\) with an independent variable \(\delta \).

With our current choice of g, all polynomials in the exponents of g fit the Déjà Q framework quite well. To get around this problem, we try another definition of \(\hat{h}\). The best choice can be setting \(\hat{h} = h_0^k\), \(\mathbf {x} = \gamma \) and \(z(\gamma ) = f(\gamma )\). The basic idea is to set \(\delta = k^{-1}\). However, the polynomials in the exponents of \(\hat{h}\) become

$$\begin{aligned} k^{-1},k^{-1} \cdot \gamma , k^{-1} \cdot \gamma ^2, \ldots , k^{-1} \cdot \gamma ^{2n}, g(\gamma ) \end{aligned}$$

where the last polynomial is still in the wrong form and we can not publish \(\hat{h}\) itself this time. Even worse, \(\delta \) will also appear in the exponent of \(g = g_0\) since the input to the adversary contains \(g^{k\gamma f(\gamma )}\) (in the original assumption) which will become \(g^{\delta ^{-1}\gamma f(\gamma )}\) in the current setting. We can make this argument more general. If we want to borrow \(\delta \) from \(k f(\gamma )\), which seems to be the unique random source we can use in the challenge, it will finally appear (in some form) in the term \(g^{k\gamma f(\gamma )}\). Therefore, the Déjà Q transform fails.

In this forthcoming sections, instead of trying to reduce subgroup decision to the GDDHE, we give direct security reductions (via Déjà Q techniques) for constructions in composite-order groups (similar to [26]) from subgroup decision assumptions. Our construction has constant-size ciphertexts and keys and is selectively secure under the static subgroup decision assumptions, thus achieving a stronger security guarantee as compared to [26].

3.2 Construction

We now describe the construction .

  • \(\mathsf{Setup}(1^\lambda , 1^n)\): Let \(\mathcal {M}= \{0,1\}^\rho \) where \(\rho \in \mathsf {poly}(\lambda )\). Generate a composite-order pairing ensemble \({(\mathcal {G}= (p_1,p_2,p_3,\mathbb {G},\mathbb {G}_T,e)) {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {}}} \mathsf {GroupGen}(\rho +2\lambda ,3)}\). Set \(N=p_1p_2p_3\) and \(\mathcal {I}= \mathbb {Z}_{N}\). Pick generators \({g, u {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {G}_{p_1}^\times }\) and \({g_3 {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {G}_{p_3}^\times }\). Sample \({R_{3,i} {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {G}_{p_3}}\) for \(i \in [n]\) using \(g_3\). Also, choose \({\alpha , \gamma {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {Z}_N}\). Let \(\mathsf{H}: \mathbb {G}_T \rightarrow \{0,1\}^\rho \) be a universal hash function with output length \(\rho \). Define the master secret as \(\mathsf {MSK}= (u,\alpha ,\gamma ,g_3)\) while the public parameters consist of

    $$\begin{aligned} {\mathsf {PP}}= \big (\mathcal {G}_\mathrm{pub}, ~g,~ g^\gamma , ~(G_i = g^{\alpha ^i}, ~ U_i = u^{\alpha ^i} \cdot R_{3,i})_{i=1}^n, ~ e(g,u)^\gamma , ~ \mathsf{H}\big ). \end{aligned}$$

  • \({\mathsf{KeyGen}}(\mathsf {MSK},\mathsf{id})\): Pick \({X_3 {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {G}_{p_3}}\) (using generator \(g_3\)) and generate the key for identity \(\mathsf{id}\) as

    $$\begin{aligned} \mathsf {SK}_\mathsf{id}= u^{{\frac{\gamma }{\alpha +\mathsf{id}}}} \cdot X_3 . \end{aligned}$$

  • \({\mathsf{Encrypt}}({\mathsf {PP}}, S = \{\mathsf{id}_1,\ldots , \mathsf{id}_\ell \}, M)\): To encrypt \(M \in \{0,1\}^\rho \) for the set S, expand the polynomial \(p_S(x) = \prod _{i=1}^\ell (x+\mathsf{id}_i) = \sum _{j=0}^\ell c_j x^j \in \mathbb {Z}_N[x]\). Choose and output

    $$\begin{aligned}\textstyle \mathsf {CT}= \big (\,C_0 = M \oplus \mathsf{H}(e(g,u)^{s\gamma }), \,\, C_1 = g^{s\gamma } , \,\, C_2 = \Bigl (g^{c_0} \cdot \prod _{j=1}^\ell G_j^{c_j} \Bigr )^s = g^{s \cdot p_S(\alpha )}\,\big ). \end{aligned}$$

  • \({\mathsf{Decrypt}}({\mathsf {PP}},S, \mathsf {CT}, \mathsf{id}, \mathsf {SK}_\mathsf{id})\): If \(\mathsf{id}\not \in S\), return \(\perp \). Otherwise, \(p_S(x) / (x+\mathsf{id}) = p_{S\setminus \{\mathsf{id}\}} (x) = \sum _{i=0}^{\ell -1} z_i x^i\) is a polynomial, where \(z_0 = \prod _{\mathsf{id}_i \in S\setminus \{\mathsf{id}\}} \mathsf{id}_i\). Output \(M = C_0 \oplus \mathsf{H}\big ((A_2/A_1)^{1/z_0}\big )\), where

    $$\begin{aligned} A_1= & {} e(C_1, \prod _{j=1}^{\ell -1} U_j^{z_{j}}) = e(g^{s\gamma }, u^{p_{S\setminus \{\mathsf{id}\}} (\alpha ) - z_0}) = e(g,u)^{s\gamma (p_{S\setminus \{\mathsf{id}\}} (\alpha ) - z_0)} , \\ A_2= & {} e(C_2,\mathsf {SK}_\mathsf{id}) = e(g^{sp_S(\alpha )}, u^{{\frac{\gamma }{\alpha +\mathsf{id}}}} \cdot X_3) = e(g,u)^{s\gamma p_{S\setminus \{\mathsf{id}\}} (\alpha )} . \end{aligned}$$

The correctness of the scheme follows from the divisibility properties of \(p_S(x)\) and is easy to verify.

3.3 Proof of Security

We give the following theorem and refer to the full version [33] for the proof.

Theorem 1

For any adversary \(\mathscr {A}\) attacking in the \(\mathsf sid{\text {-}}cpa\) model making at most q key extraction queries, there exist algorithms \(\mathscr {B}_1,\mathscr {B}_2\) such that

4 Fuzzy IBE with Short Ciphertexts

We now present a fuzzy IBE scheme obtained by transposing the prime-order construction of Herranz et al. [4, 37] to composite order groups. The security of their scheme relies on the augmented multi-sequence of exponents decisional Diffie-Hellman (aMSE-DDH) assumption. As in Sect. 3, we start with an explanation of why this assumption is not covered by the Uber assumption of [23].

Déjà Q Framework Does Not Cover aMSE-DDH Assumption [4, 37]. Let an asymmetric prime-order pairing configuration \(\mathcal {G}= (p,\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T,e)\). We describe an asymmetric version of the \((\ell ,m,t)\)-aMSE-DDH assumption.Footnote 4 With a length-\((\ell +m)\) vector \(\mathbf {y} = (y_1,\ldots ,y_{l+m})\), define functions \(f(Y) = \prod _{i=1}^{\ell } (Y+y_i)\) and \(g(Y) = \prod _{i=\ell +1}^{\ell +m} (Y+y_i)\). Let \(g_0,h_0\) be generators of \(\mathbb {G}_1\) and \(\mathbb {G}_2\) and pick \({k,\gamma ,\alpha ,\beta {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {Z}_p}\). The \((\ell ,m,t)\)-aMSE-DDH assumption states that given

$$\begin{aligned} \begin{array}{ll} g_0, g_0^\gamma , \ldots , g_0^{\gamma ^{\ell +t-2}}, \qquad g_0^{k\gamma f(\gamma )}, \qquad &{} h_0, h_0^\gamma , \ldots , h_0^{\gamma ^{m-2}}, \qquad h_0^{kg(\gamma )},\\ g_0^{\beta \gamma }, \ldots , g_0^{\beta \gamma ^{\ell +t-2}}, &{}h_0^\beta ,h_0^{\beta \gamma }, \ldots , h_0^{\beta \gamma ^{m-1}},\\ g_0^{\alpha },g_0^{\alpha \gamma }, \ldots , g_0^{\alpha \gamma ^{\ell +t}}, &{} h_0^\alpha ,h_0^{\alpha \gamma }, \ldots , h_0^{\alpha \gamma ^{2(m-t)+3}}, \end{array} \end{aligned}$$

and \(T \in \mathbb {G}_T\), it is hard to determine whether \(T = e(g_0,h_0)^{kf(\gamma )}\) or \(T \in _R \mathbb {G}_T\).

We observe that the first line of the input is quite similar to the input of the GDDHE assumption [26] (cf. Sect. 3.1). We can transpose the discussion in Sect. 3.1 to the aMSE-DDH assumption. As we have shown, the gap between the uber assumption [23] and the aMSE-DDH assumption is due to the structures of polynomials in the exponents of \(h_0\) and the entry \(g_0^{k\gamma f(\gamma )}\) which shares \(kf(\gamma )\) with the challenge. We therefore conclude that the Déjà Q framework [23] does not subsume the \((\ell ,m,t)\)-aMSE-DDH assumption.

In this section as well, we are not going to start from the aMSE-DDH assumption. Instead, we will try to adapt Herranz et al.’s prime-order construction [37] into composite-order groups and analyse its selective security directly. Our fuzzy IBE scheme preserves the advantages of Herranz et al.’s [37] such as constant-size ciphertexts and can now be proved secure under static assumptions.

4.1 Construction

Before presenting the construction, we describe algorithm Aggregate of [4, 27].

Aggregate Algorithm. The Aggregate algorithm of [27] was given for elements in \(\mathbb {G}_T\), but it carries over to any prime order group [4]. Our construction requires it to work in composite order groups. Let a cyclic group \(\mathbb {G}\) of composite order N. Given a set of pairs \(\{u^{\frac{1}{\alpha +x_i}},x_i\}_{i = 1}^n\), where \(u \in \mathbb {G}\) and \(\alpha \in \mathbb {Z}_{N}\) are unknown and \(x_1,\ldots ,x_n \in \mathbb {Z}_N\) are pairwise distinct elements such that

$$\begin{aligned} \gcd (x_i - x_j,N) = 1 \ \text { for all } i \ne j, \end{aligned}$$
(1)

the algorithm computes the value \( \textsf {Aggregate}(\{u^{\frac{1}{\alpha +x_i}},x_i\}_{i=1}^{n}) = u^{\frac{1}{\prod _{i=1}^{n}(\alpha +x_i)}} \) using \(O(n^2)\) exponentiations. (See the full version [33] for details.) It is unlikely to encounter a pair \((x_i,x_j)\) violating restriction (1) since it exposes a non-trivial factorisation of N and violates the decisional subgroup assumption.

Our Fuzzy IBE Construction. In the description hereunder, we denote by n an upper bound on the number \(\ell \) of attributes per identity. The construction goes as follows.

  • \(\mathsf{Setup}(1^\lambda , 1^n)\): Choose \(\rho \in \mathsf {poly}(\lambda )\) and define \(\mathcal {M}= \{0,1\}^\rho \). Generate a composite-order pairing ensemble \((\mathcal {G}= (p_1,p_2,p_3,\mathbb {G},\mathbb {G}_T,e)) {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {}}} \mathsf {GroupGen}(\rho +2\lambda ,3)\) and set \(N=p_1p_2p_3\). Then, arbitrarily select \(n-1\) distinct dummy identities \(d_1,\ldots ,d_{n-1} \in \mathbb {Z}_N\). Define the set \(\mathcal {I}= \mathbb {Z}_{N} \setminus \{d_1,\ldots ,d_{n-1}\}\). Pick \({g, u_0 {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {G}_{p_1}^\times }\) and \({g_3 {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {G}_{p_3}^\times }\) and choose \({\alpha , \gamma {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {Z}_N}\). Let \(\mathsf{H}: \mathbb {G}_T \rightarrow \{0,1\}^\rho \) be a universal hash function. Define \(\mathsf {MSK}= (u_0,\alpha ,\gamma ,g_3)\) while the public parameters consist of

    $$\begin{aligned} {\mathsf {PP}}= \big (\mathcal {G}_\mathrm{pub}, ~g,~ g^\gamma , ~ \big ( G_i = g^{\alpha ^i} \big )_{i=1}^{2n-1}, ~ e(g,u_0)^\gamma , ~ (d_i)_{i=1}^{n-1}, ~ \mathsf{H}\big ). \end{aligned}$$

  • \({\mathsf{KeyGen}}(\mathsf {MSK},S = \{\mathsf{id}_1,\ldots , \mathsf{id}_\ell \})\): Pick , (using generator \(g_3\)) and output the secret key

    $$\begin{aligned} \mathsf {SK}_S = \big (\, \big ( K_i = u^{\frac{\gamma }{\alpha + \mathsf{id}_i}} \cdot X_{3,i} \big )_{i =1}^\ell ,\quad ~ \big ( K'_i = u^{\alpha ^{i}} \cdot X'_{3,i} \big )_{i = 1}^{n-1},\quad ~ K_0 = u \cdot u_0 \cdot X_{3,0} \,\big ). \end{aligned}$$

  • \({\mathsf{Encrypt}}({\mathsf {PP}}, S = \{\mathsf{id}_1,\ldots , \mathsf{id}_\ell \}, \tau \le \ell , M)\): To encrypt \(M \in \{0,1\}^\rho \) for the set S with threshold \(\tau \), compute coefficients \(\{c_j\}_{j \in [0,n+\tau -1]}\) for the polynomial

    $$\begin{aligned}\textstyle p_{S,\tau }(x) = \prod _{i=1}^\ell (x + \mathsf{id}_i) \cdot \prod _{i=1}^{n + \tau - 1 - \ell } (x + d_i) = \sum _{i=0}^{n + \tau - 1} c_i x^i \in \mathbb {Z}_N[x]. \end{aligned}$$

    Choose \({s {\mathop {\longleftarrow }\limits ^{\scriptscriptstyle \mathrm {R}}} \mathbb {Z}_N}\) and output the ciphertext \(\mathsf {CT}_{S,\tau }\) consisting of

    $$\begin{aligned} C_0 = M \oplus \mathsf{H}(e(g,u_0)^{s\gamma }), \quad C_1 = g^{s\gamma } ,\quad C_2 = \big ( g^{c_0} \cdot \prod _{i=1}^{n + \tau - 1} G_i^{c_i} \big )^s = g^{s \cdot p_{S,\tau }(\alpha )}. \end{aligned}$$

  • \({\mathsf{Decrypt}}({\mathsf {PP}},S,\tau , \mathsf {CT}, S', \mathsf {SK}_{S'})\): If \(|S \cap S'| < \tau \), return \(\perp \). Otherwise, we can find a set \(\bar{S} \subseteq \mathcal {I}\) satisfying \(\bar{S} \subseteq S \cap S'\) and \(|\bar{S}| = \tau \). Note that the choice of \(\bar{S}\) is arbitrary. By invoking algorithm \(\mathsf {Aggregate}\), we can compute

    $$\begin{aligned} K_\textsf {Agg} = u^{\frac{\gamma }{\prod _{\mathsf{id}\in \bar{S}} (\alpha + \mathsf{id})}} \cdot X_{3,\textsf {Agg}} \end{aligned}$$

    for some \(X_{3,\textsf {Agg}} \in \mathbb {G}_{p_3}\). Let

    $$\begin{aligned}\textstyle op_{S, \bar{S},\tau } (x) = p_{S,\tau }(x) / \prod _{\mathsf{id}\in \bar{S}} (x + \mathsf{id}) = \sum _{i=0}^{n-1} z_i x^i \end{aligned}$$

    where \(z_0 = \prod _{\mathsf{id}\in S\setminus \bar{S}} \mathsf{id}\cdot \prod _{i = 1}^{n + \tau - 1 - |S|} d_i\). We can compute

    $$\begin{aligned}&\textstyle A_1 = e(C_1, \prod _{i=1}^{n-1} (K'_i)^{z_{i}}) = e(g^{s\gamma }, u^{p_{S, \bar{S},\tau } (\alpha ) - z_0}) = e(g,u)^{s\gamma (p_{S, \bar{S},\tau } (\alpha ) - z_0)},\\&A_2 = e(C_2,K_\textsf {Agg}) = e(g^{s \cdot p_{S,\tau }(\alpha )}, u^{\frac{\gamma }{\prod _{\mathsf{id}\in \bar{S}} (\alpha + \mathsf{id})}} \cdot X_{3,\textsf {Agg}}) = e(g,u)^{s \gamma p_{S, \bar{S},\tau } (\alpha )},\\&A_3 = e(C_1,K_0) = e(g^{s\gamma },u \cdot u_0 \cdot X_{3,0}) = e(g,u)^{s\gamma } \cdot e(g,u_0)^{s\gamma }, \end{aligned}$$

    and recover the message as \(M = C_0 \oplus \mathsf{H}\big (A_3/(A_2/A_1)^{1/z_0}\big )\).

The scheme is easily seen to be correct. We note that \({\mathsf{Decrypt}}\) can be optimized to consume only 2 pairing operations by recovering \( e(g,u)^{s\gamma } = e(C_1,K_0 \cdot (\prod _{i=1}^{n-1} (K'_i)^{z_{i}})^{1/{z_0}})/e(C_2,K_\textsf {Agg}^{1/{z_0}}) \).

4.2 Proof of Security

We give the following theorem and refer to the full version [33] for the proof.

Theorem 2

For any adversary \(\mathscr {A}\) attacking in the \(\mathsf sid{\text {-}}cpa\) model making at most q key extraction queries, there exist algorithms \(\mathscr {B}_1,\mathscr {B}_2\) such that

where \(\ell \) is maximum size of attribute sets.