Time-specific encryption from forward-secure encryption: generic and direct constructions

Abstract

Paterson and Quaglia (SCN 2010) proposed the concept of time-specific encryption (TSE) and its efficient constructions. TSE is a type of public-key encryption with an additional functionality where an encryptor can specify a suitable time interval, meaning that the ciphertexts may only be decrypted within this time interval. In this work, we propose a new methodology for designing efficient TSE schemes by using forward-secure encryption (FSE), and based on this methodology, we present a specific TSE scheme using Boneh–Boyen–Goh FSE, and a generic construction from any FSE. Our proposed TSE schemes are practical in all aspects with regard to computational costs and data sizes. The sizes of the ciphertext and the public parameter in our schemes are significantly smaller than those in previous schemes in an asymptotic sense.

Appendices

Appendix 1: Main concrete construction

Here, we describe the full TSE scheme obtained by using the binary tree structures for the basic version of our scheme presented in Sect. 3. As noted earlier, this construction is obtained by applying the technique from the HIBE-to-FSE transformation by Canetti et al. [10] to the basic version of the proposed scheme for reducing the sizes of the public parameter and TIKs.

Let \(\ell \in {\mathbb {N}}\). Consider two complete binary trees \(B_1\) and \(B_2\) with \(T = 2^{\ell }-1\) nodes, where T will be the number of time periods supported by the proposed TSE construction. The nodes in those binary trees are numbered according to a pre-order traversal in an incremental order, with the root node of \(B_1\) being 1 and that of \(B_2\) being \(T+1\). Then, consider the binary tree B with \(2T+1\) nodes in which the children of the root nodes are the root nodes of \(B_1\) and \(B_2\), with \(B_1\) being left. (That is, B has \(B_1\) and \(B_2\) as sub trees.) For convenience, we put the number \(2T+1\) to the root node of B. Intuitively, each subtree in B will correspond to one instantiation of FSE obtained via the HIBE-to-FSE transformation of Canetti et al. [10] to the BBG HIBE scheme (and will also correspond to one chain in our basic construction shown in Sect. 3.2).

We need to introduce vectors “\(TV_t\)” and sets “\({\mathtt {TVSet}}_t\)” (for \(t \in [1,2T]\)). \(TV_{t}\) is the vector consisting of the indices corresponding to the nodes included in the path from the node t to the root node (of B). For \(t \in [ 1, 2T]\), the set \({\mathtt {TVSet}}_{t}\) defined as follows: \({\mathtt {TVSet}}_1 = \{ TV_{1} \}\), \({\mathtt {TVSet}}_{T+1} = \{ TV_{T+1} \} \). Recursively, for \(t \in [1,2T] \backslash \{ 1, T+1 \}\), \({\mathtt {TVSet}}_{t+1}\) is defined depending on \({\mathtt {TVSet}}_{t}\) as follows: Let \(s = \min \{u : TV_u \in {\mathtt {TVSet}}_t\}\). If \(TV_{s}\) is a leaf node, then \({\mathtt {TVSet}}_{t+1}\) is obtained by removing the vector \(TV_{s}\) from the set \({\mathtt {TVSet}}_{t}\). Otherwise, let \(s_{F}\) (resp. \(s_{B}\)) be the index of the left (resp. right) node of the node s. \({\mathtt {TVSet}}_{t+1}\) is the set obtained by removing \(TV_s\) from and adding \(TV_{s_F}\) and \(TV_{s_B}\) to the set \({\mathtt {TVSet}}_t\).

Let \(({\mathbb {G}}, {\mathbb {G}}_T, e)\) be bilinear maps, and let \(T = 2^{\ell }-1\) be a polynomial that indicates the number of time periods. Using the above notations, We describe our TSE scheme in the following:

• \({\mathtt {TSE}}.{\mathtt {Setup}}(1^k, T=2^{\ell }-1)\): Pick \(\alpha ,\beta \xleftarrow {\text {U}} {\mathbb {Z}}_p\), \(g_{2,F}, g_{2,B}, h_0, \ldots , h_\ell \xleftarrow {\text {U}} {\mathbb {G}}\). Then compute \(MSK \leftarrow g^{\alpha \beta }\) and

  $$\begin{aligned}&MPK \leftarrow (g, g_1 \leftarrow g^\alpha , g_{2,F}, g_{2,B}, h_0, \ldots , h_\ell ,\\&\quad P \leftarrow e(g^{\alpha }, g^{\beta }) ), \end{aligned}$$

  and return (MPK, MSK).

• \({\mathtt {TSE}}.{\mathtt {Ext}}(MSK,t)\): Firstly, pick \(\xi \xleftarrow {\text {U}} {\mathbb {Z}}_p\).

  For each \(TV =(J_0, J_1, \ldots , J_m) \in {\mathtt {TVSet}}_{t+1}\): pick \(r_{F} \xleftarrow {\text {U}} {\mathbb {Z}}_p\), and compute

  $$\begin{aligned} d_{TV} \leftarrow \left( g^{\alpha \beta + \xi }\cdot \left( \prod _{i=0}^m h_i^{J_i} \cdot g_{2,F}\right) ^{r_{F}}, g^{r_{F}}, h_{m+1}^{r_{F}}, \ldots , h_{\ell }^{r_{F}}\right) . \end{aligned}$$

  For each \(TV' = (K_0, K_1, \ldots , K_n) \in {\mathtt {TVSet}}_{2T -t}\): pick \(r_{B} \xleftarrow {\text {U}} {\mathbb {Z}}_p\), and compute

  $$\begin{aligned} d_{TV'} \leftarrow \left( g^{-\xi } \cdot \left( \prod _{i=0}^n h_i^{K_i} \cdot g_{2,B}\right) ^{r_{B}}, g^{r_{B}}, h_{n+1}^{r_{B}}, \ldots , h_{\ell }^{r_{B}}\right) . \end{aligned}$$

  Finally, set \(SK_{t,L} \leftarrow \{ d_{TV}\}_{TV \in {\mathtt {TVSet}}_{t+1}}\) and \(SK_{t, R} \leftarrow \{d_{TV'}\}_{TV' \in {\mathtt {TVSet}}_{2T-t}}\), and return \(SK_t = (t, SK_{t,L}, SK_{t,R})\).

• \({\mathtt {TSE}}.{\mathtt {Enc}}(MPK, [t_{L}, t_R], M)\): Let \(TV_{t_R + 1}=(J_0, J_1, \ldots , J_m)\) and \(TV_{2T -t_{L}} = (K_0,K_1,\ldots ,K_n)\). Pick \(s \xleftarrow {\text {U}} {\mathbb {Z}}_p\), compute

  $$\begin{aligned}&(C_1, C_2, C_3, C_4)\\&\quad \leftarrow \left( P^s \cdot M, g^s, \left( \prod _{i=0}^m h_i^{J_i} \cdot g_{2,F}\right) ^s, \left( \prod _{i=0}^n h_i^{K_i} \cdot g_{2,B}\right) ^s\right) \end{aligned}$$

  and return \(C = (C_1, C_2, C_3, C_4, [t_L, t_R])\).

• \({\mathtt {TSE}}.{\mathtt {Dec}}(SK_t, C) \): Let \(SK_t = (t, SK_{t,L}, SK_{t,R})\) and \(C=(C_1,C_2,C_3,C_4, C_5)\). If \(t \not \in C_5\), then return \(\bot \). Otherwise, retrieve \(d_{TV_{t_R + 1}} = (L_1, L_2, \ldots )\) and \(d_{TV_{2T - t_{L}}} = (R_1, R_2, \ldots )\) from \(SK_{t,L}\) and \(SK_{t,R}\), respectively. Compute

  $$\begin{aligned} M = \frac{C_{1} \cdot e(L_2,C_{3}) \cdot e(R_2,C_{4})}{ e(L_1\cdot R_1,C_{2})} \end{aligned}$$

  and return M.

The security is guaranteed by the following.

Theorem 4

If the decisional \((\ell +1)\)-wBDHI assumption holds in \(({\mathbb {G}},{\mathbb {G}}_T,e)\), then the above TSE scheme (with \(T = 2^{\ell }-1\) time periods) is IND-CPA secure.

Proof

We consider the TSE with the size of the time space which is polynomial in the security parameter k. Therefore, as we have mentioned in the proof of Theorem 1 in “Appendix 2,” we only need to consider the selective DTI adversary that decides the challenge DTI \([t^*_L, t^*_R]\) at the beginning of the IND-CPA game.

Let \({\mathscr {A}}\) be any IND-CPA adversary that attacks our proposed scheme (in the selective DTI model). We will build an algorithm \({\mathscr {B}}\) that solves the decisional \((\ell + 1)\)-wBDHI\(^*\) problem in \(({\mathbb {G}}, {\mathbb {G}}_T, e)\) by using \({\mathscr {A}}\).

Let \(g,h \xleftarrow {\text {U}} {\mathbb {G}}\), \(\alpha \xleftarrow {\text {U}} {\mathbb {Z}}_{p}^{*}\), \(y_i = g^{(\alpha ^{i+1})}\). \({\mathscr {B}}\) is given as input \((g,h,y_0,y_1,\ldots ,y_{\ell },W)\), where W is \(e(g,h)^{\alpha ^{\ell +2}}\) or a random value in \({\mathbb {G}}_T\). \({\mathscr {B}}\) interacts with \({\mathscr {A}}\) as follows:

Setup When run, \({\mathscr {A}}\) outputs the challenge DTI \([t_{L}^*,t_R^*]\). Let \(TV_{t_R^* + 1} = (J_0^*,J_1^*,\ldots , J_m^*)\), \(TV_{2T-t_{L}^*} = (K_0^*,K_1^*,\ldots ,K_n^*)\). \({\mathscr {B}}\) picks random \(\gamma ,\gamma _0,\gamma _1,\ldots ,\gamma _{\ell },\delta _{F},\delta _R \xleftarrow {\text {U}} {\mathbb {Z}}_p\), sets \(g_1 \leftarrow y_0\), and computes

$$\begin{aligned}&g_{2,F} \leftarrow g^{\delta _{F}}\cdot \prod _{i=0}^m y_{\ell -i}^{J_i^*}, \quad g_{2,B} \leftarrow g^{\delta _R}\cdot \prod _{i=0}^n y_{\ell -i}^{K_i^*},\\&\quad h_i \leftarrow g^{\gamma _i}y_{\ell -i} =g^{\gamma _i - \alpha ^{\ell - i + 1}}, {\text {and}} \quad P \leftarrow e(y_0 ,y_{\ell } g^\gamma ). \end{aligned}$$

where \(\alpha ^{\ell + 1} + \gamma \) is implicitly regarded as \(\beta \). Then, \({\mathscr {B}}\) sets \(MPK \leftarrow (g,g_1,g_{2,F},g_{2,B},h_0,\ldots ,h_{\ell },P)\), and gives it to \({\mathscr {A}}\).

Phase 1 If \({\mathscr {A}}\) submits a TIK extraction query \(t_i\), \({\mathscr {B}}\) responds to each query by generating \(SK_{t_i}\) as follows:

• Case \(t_i < t_{L}^*\): \({\mathscr {B}}\) picks \(\widetilde{\xi } \xleftarrow {\text {U}} {\mathbb {Z}}_p\). Let us implicitly define \(\widetilde{\xi } = \alpha ^{\ell + 2} + \xi \). Since \(\widetilde{\xi }\) is chosen uniformly from \({\mathbb {Z}}_p\), \(\xi \) is also distributed uniformly in \({\mathbb {Z}}_p\). For each \(TV_{u} \in {\mathtt {TVSet}}_{t_i+1}\), \({\mathscr {B}}\) picks \(r_{F} \xleftarrow {\text {U}} {\mathbb {Z}}_p\), and computes

  $$\begin{aligned} d_{TV_{u}} = \left( g^{\widetilde{\xi }}\cdot y_0^{\gamma } \cdot \left( \prod _{i=0}^{\widetilde{m}} h_i^{J_i} \cdot g_{2,F}\right) ^{r_{F}}, g^{r_{F}}, h_{\widetilde{m}+1}^{r_{F}}, \ldots , h_{\ell }^{r_{F}} \right) , \end{aligned}$$

  where \(TV_{u} = (J_0,J_1,\ldots ,J_{\widetilde{m}})\). The above \(d_{TV_{u}}\) satisfies the following:

  $$\begin{aligned}&\left( g^{\widetilde{\xi }}\cdot y_0^{\gamma } \cdot \left( \prod _{i=0}^{\widetilde{m}} h_i^{J_i} \cdot g_{2,F}\right) ^{r_{F}}, g^{r_{F}}, h_{\widetilde{m}+1}^{r_{F}}, \ldots , h_{\ell }^{r_{F}} \right) \\&\quad = \left( g^{\alpha (\gamma + \alpha ^{\ell +1}) + \xi }\cdot \left( \prod _{i=0}^{\widetilde{m}} h_i^{J_i} \cdot g_{2,F}\right) ^{r_{F}}, g^{r_{F}}, h_{\widetilde{m}+1}^{r_{F}}, \ldots , h_{\ell }^{r_{F}} \right) \\&\quad = \left( g^{\alpha \beta + \xi }\cdot \left( \prod _{i=0}^{\widetilde{m}} h_i^{J_i} \cdot g_{2,F}\right) ^{r_{F}}, g^{r_{F}}, h_{\widetilde{m}+1}^{r_{F}}, \ldots , h_{\ell }^{r_{F}} \right) \end{aligned}$$

  Therefore, the secret key is valid.

  Next, we consider the secret keys of \(TV_{w} \in {\mathtt {TVSet}}_{2T - t_i}\). For \(TV_{w}\), let \(TV_{w} = (K_0^*,\ldots , K_{d-1}^*,K_d,\ldots ,K_{\widetilde{n}})\). We generate the secret key of \((K_0^*,\ldots , K_{d-1}^*,K_d)\) and use this secret key to derive the secret key of \(TV_{w}\). \({\mathscr {B}}\) picks random \(\widetilde{r}_{B} \xleftarrow {\text {U}} {\mathbb {Z}}_p\). We pose \(\widetilde{r}_{B} = \alpha ^{d+1} + r_{B} (K_d^* - K_d)\). \({\mathscr {B}}\) computes

  $$\begin{aligned} \begin{aligned} d&_{(K_0^*,\ldots , K_{d-1}^*,K_d)}\\&\leftarrow \left( g^{-\widetilde{\xi }} \cdot g^{\alpha ^{\ell - d + 1}\widetilde{r}_{B} } \cdot \left\{ \left( \prod _{i=0}^{d-1} y_{d}^{\gamma _{i}K_{i}^{*}} \cdot y_{d}^{\gamma _{d}K_{d}} \cdot y_{d}^{\delta _{B}} \cdot \prod _{j=d+1}^{n} y_{\ell - j + d +1}^{K_{j}^{*}}\right) \right. \right. \\&\quad \cdot \left. \left( \prod _{i=0}^{d-1} g^{\gamma _i K_i^*}\cdot g^{\gamma _d K_d} \cdot g^{\delta _R}\cdot \prod _{j=d+1}^n g^{(\alpha ^{\ell -j+1}) K_{j}^{*}}\right) ^{-\widetilde{r}_{B}} \right\} ^{\frac{1}{K_{d}^{*} - K_{d}}},\\&(g^{\widetilde{r}_{R}}\cdot y_u^{-1} )^\frac{1}{K_u^* - K_u}, (g^{\gamma _{n+1} \widetilde{r}_{B}}\cdot y_u^{-\gamma _{n+1}}\cdot y_{\ell -n-1}^{\widetilde{r}_{B}}\cdot y_{\ell -n+u})^{\frac{1}{K_u-K_u^*}},\ldots ,\\&\quad \times \left. (g^{\gamma _{\ell } \widetilde{r}_{B}}\cdot y_u^{-\gamma _{\ell }}\cdot y_{0}^{\widetilde{r}_{B}}\cdot y_{u+1})^{\frac{1}{K_u-K_u^*}} \right) . \end{aligned} \end{aligned}$$

  \({\mathscr {B}}\) generates the secret key of \(TV_{w}\) from this secret key.

  We claim that the components in \(d_{(K_0^*,\ldots , K_{d-1}^*,K_d)}\) is valid and distributed identically to those in the real IND-CPA game.

  $$\begin{aligned}&d_{(K_0^*, \ldots , K_{d-1}^*, K_d)}\\&\quad = \left( g^{-\xi } \cdot \left( \prod _{i=0}^{d-1} h_i^{K_i^*} \cdot h_d^{K_d} \cdot g_{2,B}\right) ^{r_{B}}, g^{r_{B}}, h_{d+1}^{r_{B}}, \ldots , h_{\ell }^{r_{B}} \right) . \end{aligned}$$

  The first component in \(d_{(K_0^*,\ldots , K_{d-1}^*,K_d)}\) is calculated as follows:

  $$\begin{aligned}&g^{-\widetilde{\xi }} \cdot g^{\alpha ^{\ell - d + 1}\widetilde{r}_{B} } \cdot \left\{ \left( \prod _{i=0}^{d-1} y_{d}^{\gamma _{i}K_{i}^{*}} \cdot y_{d}^{\gamma _{d}K_{d}} \cdot y_{d}^{\delta _{B}} \cdot \prod _{j=d+1}^{n} y_{\ell - j + d +1}^{K_{j}^{*}}\right) \right. \\&\qquad \left. \cdot \left( \prod _{i=0}^{d-1} g^{\gamma _i K_i^*}\cdot g^{\gamma _d K_d} \cdot g^{\delta _R}\cdot \prod _{j=d+1}^n g^{(\alpha ^{\ell -j+1}) K_{j}^{*}}\right) ^{-\widetilde{r}_{B}} \right\} ^{\frac{1}{K_{d}^{*} - K_{d}}}\\&\quad = g^{-\widetilde{\xi }} \cdot g^{\alpha ^{\ell + 2}} \cdot g^{\alpha ^{\ell -d+1}(K_d^* -K_d)r_{B}}\\&\qquad \cdot \left( \prod _{i=0}^{d-1} g^{\gamma _i K_i^*}\cdot g^{\gamma _d K_d} \cdot g^{\delta _R}\cdot \prod _{j=d+1}^n g^{(\alpha ^{\ell -j+1}) K_{j}^{*}}\right) ^{r_{B}} \\&\quad = g^{\alpha ^{\ell + 2} - \widetilde{\xi }} \\&\qquad \cdot \left( \prod _{i=0}^{d-1} g^{\gamma _i K_i^*}\cdot g^{\gamma _d K_d}\cdot g^{\alpha ^{\ell -d+1}(K_d^* -K_d)}\cdot g^{\delta _R}\cdot \prod _{j=d+1}^n g^{(\alpha ^{\ell -j+1}) K_{j}^{*}}\right) ^{r_{B}} \\&\quad = g^{-\{ \widetilde{\xi } - \alpha ^{\ell + 2} \} } \\&\qquad \cdot \left( \prod _{i=0}^{d-1} g^{(\gamma _i - \alpha ^{\ell -i+1})K_i^*} \cdot g^{(\gamma _d - \alpha ^{\ell -d+1})K_d} \cdot g^{\delta _R} \cdot \prod _{j=0}^n g^{(\alpha ^{\ell -j+1})K_j^*}\right) ^{r_{B}}\\&\quad = g^{-\xi } \cdot \left( \prod _{i=0}^{d-1} h_i^{K_i^*} \cdot h_d^{K_d} \cdot g_{2,B}\right) ^{r_{B}} \end{aligned}$$

  The second component in \(d_{(K_0^*,\ldots , K_{d-1}^*,K_d)}\) is calculated as follows:

  $$\begin{aligned} (g^{\widetilde{r}_{R}}\cdot y_d^{-1} )^\frac{1}{K_d^* - K_d} =g^{\frac{\widetilde{r}_{R}-\alpha ^{d+1}}{K_d^* - K_d}} =g^{r_{B}} \end{aligned}$$

  The third component in \(d_{(K_0^*,\ldots , K_{d-1}^*,K_d)}\) is calculated as follows:

  $$\begin{aligned}&(g^{\gamma _{d+1} \widetilde{r}_{R}}\cdot y_d^{-\gamma _{d+1}} \cdot y_{\ell - d - 1}^{\widetilde{r}_{R}}\cdot y_{\ell })^{\frac{1}{K_d^* - K_d}}\\&\qquad = (g^{\gamma _{d+1} - \alpha ^{\ell - d}})^{\frac{\widetilde{r}_{R}-\alpha ^{d+1}}{K_d^* - K_d}} = h_{d+1}^{r_{B}} \end{aligned}$$

  \({\mathscr {B}}\) can calculate the remaining components \((h_{d+2}^{r_{B}}, \ldots , h_{\ell }^{r_{B}})\) since they do not involve a \(g^{\ell + 2}\) term. Therefore, \({\mathscr {B}}\) can compute a valid secret key \(d_{(K_0^*,\ldots , K_{d-1}^*,K_d)}\) which is distributed identically to that in the real IND-CPA game. \({\mathscr {B}}\) finally sets \(SK_{t_i} \leftarrow (t_i, \{d_{TV_{u}}\}_{TV_u \in {\mathtt {TVSet}}_{t_i + 1}}, \{d_{TV_{w}}\}_{TV_w} {\in {\mathtt {TVSet}}_{2T-t_i }} \})\), and gives the TIK \(SK_{t_i}\) to \({\mathscr {A}}\).

• Case \(t_i > t_R^*\): \({\mathscr {B}}\) first picks \(\xi \xleftarrow {\text {U}} {\mathbb {Z}}_p\). For each \(TV_{u} \in {\mathtt {TVSet}}_{t_i+1}\), \({\mathscr {B}}\) picks \(\widetilde{r}_{B} \xleftarrow {\text {U}} {\mathbb {Z}}_p\). Let \(TV_{u} = (J_0^*,\ldots , J_{u-1}^*,J_u,\ldots ,J_{\widetilde{m}})\). \({\mathscr {B}}\) can derive the secret key of \(TV_{u}\) from the secret key \(d_{(J_0^*,\ldots , J_{u-1}^*,J_u)}\). \({\mathscr {B}}\) computes

  $$\begin{aligned} \begin{aligned}&d_{(J_0^*,\ldots , J_{u-1}^*,J_u)}\\&\quad \leftarrow \left( y_0^{\gamma }\cdot g^{\xi } \cdot y_{\ell - u}^{\widetilde{r}_{F}} \cdot \left\{ \left( \prod _{i=0}^{u-1} \left( g^{\gamma _{i}J_{i}^{*}} \cdot g^{\delta _{F}}\cdot \prod _{j=u+1}^{m} y_{\ell - j}^{J_{j}^{*}}\right) ^{\widetilde{r}_{F}}\right. \right. \right. \\&\quad \cdot \left. \left( \prod _{i=0}^{u-1} y_{i}^{\gamma _{i}J_{i}^{*}} \cdot y_{u}^{\delta _{F}} \cdot \prod _{j=u+1}^{m} y_{\ell + u + 1 - j}^{J_{j}^{*}}\right) ^{-1} \right\} ^{\frac{1}{J_{u}^{*}-J_{u}}},\\&\quad \times \left( g^{\widetilde{r}_{L}}\cdot y_d^{-1} \right) ^\frac{1}{J_u^* - J_u}, \left( g^{\gamma _{u+1} \widetilde{r}_{F}}\cdot y_u^{-\gamma _{u+1}}\cdot y_{\ell -u-1}^{-\widetilde{r}_{F}}\cdot y_{\ell }\right) ^{\frac{1}{J_u^*-J_u}},\ldots ,\\&\quad \times \left. \left. \left( g^{\gamma _{\ell } \widetilde{r}_{F}}\cdot y_u^{-\gamma _{\ell }}\cdot y_{0}^{\widetilde{r}_{F}}\cdot y_{u+1}^{-1}\right) ^{\frac{1}{J_u^{*}-J_u}} \right) \right) . \end{aligned} \end{aligned}$$

  \({\mathscr {B}}\) can then derive the secret key of \(TV_{u}\) from \(d_{(J_0^*,\ldots , J_{u-1}^*,J_u)}\).

  For \(TV_{w} \in {\mathtt {TVSet}}_{2T - t_i}\), \({\mathscr {B}}\) computes

  $$\begin{aligned} d_{TV_{w}} \leftarrow \left( g^{\xi } \cdot \left( \prod _{i=0}^{\widetilde{n}} h_i^{K_i} \cdot g_{2,B}\right) ^{r_{B}}, g^{r_{B}}, h_{m+1}^{r_{B}}, \ldots , h_{\ell }^{r_{B}} \right) \end{aligned}$$

  where \(TV_{w} = (K_0,\ldots , K_{\widetilde{n}})\).

  \({\mathscr {B}}\) finally sets \(SK_{t_i} \leftarrow (t_i, \{d_{TV_{u}}\}_{TV_u \in {\mathtt {TVSet}}_{t_i +1}}, \{d_{TV_{w}}\}_{TV_w} {\in {\mathtt {TVSet}}_{2T - t_i}} \})\), and gives the TIK \(SK_{t_i}\) to \({\mathscr {A}}\).

Challenge When \({\mathscr {A}}\) decides that Phase 1 is over, it outputs the challenge plaintexts \(M_0 , M_1\). \({\mathscr {B}}\) picks a random bit \(b \xleftarrow {\text {U}} \{0,1\}\), and computes the challenge ciphertext by

$$\begin{aligned}&C^{*} \leftarrow \Big (M_b \cdot W \cdot e(y_0,h^\gamma ), h, h^{\delta _{F} + \sum _{i=0}^m J_i^* \gamma _i},\\&\qquad \qquad \qquad h^{\delta _R + \sum _{j=0}^n K_j^* \gamma _j}, [t_{L}^* ,t_R^*] \Big ), \end{aligned}$$

and gives it to \({\mathscr {A}}\). Let \(\log _g h = s\). Observe that if \(W = e(g,h)^{\alpha ^{\ell +2}}\), then \(C^{*}\) is of the following form:

$$\begin{aligned}&C^* = \left( T\cdot e(y_0,h^\gamma ) \cdot M_b, h, h^{\delta _{F} + \sum _{i=0}^m J_i^* \gamma _i}, h^{\delta _R + \sum _{j=0}^n K_j^* \gamma _j} \right) \\&\quad = \left( e(g,g)^{\alpha ^{\ell +2}s}\cdot e(g,g)^{\alpha \gamma s}\cdot M_b, g^s,\right. \\&\qquad \times \left. \left( g^{\delta _{F}}\cdot \prod _{i=0}^{m} g^{\gamma _i J_i^*}\right) ^s, \left( g^{\delta _R}\prod _{j=0}^{n} g^{\gamma _j K_j^*}\right) ^s\right) \\&\quad = \left( e(y_0, y_{\ell } g^{\gamma })^s \cdot M_b, g^s,\right. \\&\qquad \times \left. \left( \prod _{i=0}^{m} g^{(\gamma _i - \alpha ^{\ell -i+1})J_i^*}\cdot g^{\delta _{F}}\cdot \prod _{i=0}^{m} g^{\alpha ^{\ell -i+1}J_i^*}\right) ^s,\right. \\&\qquad \times \left( \prod _{j=0}^{n} g^{(\gamma _j - \alpha ^{\ell -j+1})K_j^*}\cdot g^{\delta _R} \left. \cdot \prod _{j=0}^{n} g^{\alpha ^{\ell -j+1}K_j^*}\right) ^s \right) \\&\quad =\left( P^s \cdot M_b, g^s, \left( \prod _{i=0}^{m} h_i^{J_i^*} \cdot g_{2,F}\right) ^s, \left( \prod _{j=0}^{n} h_j^{K_j^*}\cdot g_{2,B}\right) ^s \right) \end{aligned}$$

Then, from the above equation, since the information on b and W has been hidden until this point, \(C^*\) is distributed identically to the challenge ciphertext in the real IND-CPA game. On the other hand, if W is a random value in \({\mathbb {G}}_T\), then the information on b is information-theoretically hidden from \({\mathscr {A}}\)’s view.

Phase 2 \({\mathscr {B}}\) responds to \({\mathscr {A}}\)’s TIK extraction queries as in Phase 1.

Guess Finally, \({\mathscr {A}}\) outputs its guess \(b' \in \{ 0,1 \}\). If \(b=b'\), \({\mathscr {B}}\) outputs \(\eta ' \leftarrow 1\). Otherwise \({\mathscr {B}}\) outputs \(\eta ' \leftarrow 0\).

The above completes the description of \({\mathscr {B}}\). Note that \({\mathscr {B}}\) outputs 1 if and only if \({\mathscr {A}}\) succeeds in guessing the bit b. When \(W = e(g, h)^{\alpha ^{\ell + 2}}\), then \({\mathscr {B}}\) perfectly simulates the IND-CPA game for \({\mathscr {A}}\) in which the challenge bit is b. Therefore, we have \(\Pr [\eta ' = 1 | W = e(g,h)^{\alpha ^{\ell + 2}}] = Adv^{CPA}_{TSE,{\mathscr {A}}}(k) + \frac{1}{2}\). If W is a random element in \({\mathbb {G}}_T\), then the information on b is completely hidden from \({\mathscr {A}}\)’s view and thus \({\mathscr {A}}\) is unable to get the information on the bit b. Therefore, \(\Pr [\eta ' = 1 |W~{\text {is random}}] = \frac{1}{2}\). \({\mathscr {B}}\)’s advantage in solving the decisional \((\ell + 1)\)-wBDHI\(^*\) problem can be estimated as follows:

$$\begin{aligned}&|\Pr [\eta ' = 1 | W = e(g,h)^{\alpha ^{\ell +2}}] - \Pr [\eta ' = 1 | W~{\text {is random}}]| \\&\quad = |Adv_{TSE,{\mathscr {A}}}^{CPA}(k) + \frac{1}{2} - \frac{1}{2}| \\&\quad = Adv_{TSE,{\mathscr {A}}}^{CPA}(k). \end{aligned}$$

If \(Adv_{TSE,{\mathscr {A}}}^{CPA}\) is not negligible, \({\mathscr {B}}\) has non-negligible advantage in solving the decisional \((\ell +1)\)-wBDHI\(^*\) problem in \(({\mathbb {G}},{\mathbb {G}}_T, e)\). This contradicts the decisional \((\ell +1)\)-wBDHI\(^*\) assumption. Therefore, for all PPT adversaries \({\mathscr {A}}\), the IND-CPA advantage is negligible. This completes the proof of Theorem 4. \(\square \)

Appendix 2: Proof of Theorem 1

Proof

We consider a TSE scheme whose number of time units is polynomial in the security parameter k. Therefore, the size of the set of all possible DTIs \([t_{L}, t_R]\) with \(0 \le t_{L} \le t_R \le T-1\) is polynomial in k. Then, the “selective” DTI security in which an adversary has to decide its challenge DTI at the beginning of the IND-CPA game, and the “adaptive” DTI security which is the IND-CPA security we defined in Sect. 2.1 are polynomially equivalent. Therefore, we show the IND-CPA security of our scheme is the selective DTI model.

Let \({\mathscr {A}}\) be any IND-CPA adversary that attacks the basic version of our proposed scheme (in the selective DTI model). We will build an algorithm \({\mathscr {B}}\) that solves the decisional \((T+1)\)-wBDHI\(^*\) problem in \(({\mathbb {G}},{\mathbb {G}}_T, e)\) by using \({\mathscr {A}}\).

Let \(g,h \xleftarrow {\text {U}} {\mathbb {G}}\), \(\alpha \xleftarrow {\text {U}} {\mathbb {Z}}_{p}^{*}\), \(y_i = g^{(\alpha ^{i+1})}\). \({\mathscr {B}}\) is given as input \((g,h,y_0,y_1,\ldots ,y_{T},W)\), where W is either \(e(g,h)^{(\alpha ^{T +2})}\) or a random value in \({\mathbb {G}}_T\). \({\mathscr {B}}\) interacts with \({\mathscr {A}}\) as follows.

Setup When run, \({\mathscr {A}}\) firstly outputs the challenge DTI \([t_{L}^{*} , t_R^{*}]\). \({\mathscr {B}}\) picks random \(\gamma ,\gamma _0,\gamma _1,\ldots ,\gamma _{T},\delta _F,\delta _B \xleftarrow {\text {U}} {\mathbb {Z}}_p\), sets \(g_1 \leftarrow y_0\), and computes

$$\begin{aligned}&g_{2,F} \leftarrow g^{\delta _F}\cdot y_{T}^{2T + 1} \cdot \prod _{i=1}^{t_R^* + 1} y_{T-i}^{i},\\&\quad g_{2,B} \leftarrow g^{\delta _B}\cdot y_{T}^{2T + 1}\cdot \prod _{i=1}^{T - t_{L}^*} y_{T-i}^{T + i},\\&\quad h_i \leftarrow g^{\gamma _i}y_{T-i}^{-1}, \quad {\text {and}} \quad P \leftarrow e(y_0 ,y_{T} g^\gamma ), \end{aligned}$$

where \(\alpha ^{T + 1} + \gamma \) is implicitly regarded as \(\beta \). Then, \({\mathscr {B}}\) sets \(MPK \leftarrow (g,g_1,g_{2,F},g_{2,B},h_0,\ldots ,h_{T},P)\), and gives it to \({\mathscr {A}}\). We note that MPK is distributed identically to that given to \({\mathscr {A}}\) in the real IND-CPA game.

Phase 1 If \({\mathscr {A}}\) submits a TIK extraction query \(t_i\), \({\mathscr {B}}\) responds to each query by generating \(SK_{t_i}\) as follows:

• Case \(t_i < t_{L}^{*}\): \({\mathscr {B}}\) picks \(\widetilde{\xi } ,r_{F} \xleftarrow {\text {U}} {\mathbb {Z}}_p\). Let us implicitly define \(\xi \) by \(\widetilde{\xi } = \alpha ^{T + 2} + \xi \). Since \(\widetilde{\xi }\) is chosen uniformly from \({\mathbb {Z}}_p\), \(\xi \) is also distributed uniformly in \({\mathbb {Z}}_p\). \({\mathscr {B}}\) computes the first component of a TIK \(SK_{t_i}\) as follows:

  $$\begin{aligned}&d_{t_i + 1,F}=\left( g^{\widetilde{\xi }} \cdot y_0^{\gamma }\cdot (h_{0}^{2T +1}\right. \\&\qquad \qquad \qquad \left. \cdot \prod _{i=1}^{t_{i}+1} h_{i}^{i} \cdot g_{2,F})^{r_{F}}, g^{r_{F}}, h_{t_{i}+2}^{r_{F}},\ldots , h_{T}^{r_{F}} \right) . \end{aligned}$$

  Remembering the facts that \(pk_F = (g, g_1, g_{2,F}, \mathbf {h}, P)\) and \(d_{0,F} = g^{\alpha \beta + \xi }\), this component \(d_{t_i + 1,F}\) satisfies the following

  $$\begin{aligned}&\left( g^{\widetilde{\xi }} \cdot y_0^{\gamma }\cdot (h_{0}^{2T +1} \cdot \prod _{i=1}^{t_{i}+1} h_{i}^{i} \cdot g_{2,F})^{r_{F}}, g^{r_{F}}, h_{t_{i}+2}^{r_{F}}, \ldots , h_{T}^{r_{F}} \right) \\&\quad = \left( g^{\alpha ^{T + 2} + \xi }\cdot g^{ \alpha \gamma } \cdot (h_{0}^{2T +1}\right. \\&\qquad \left. \cdot \prod _{i=1}^{t_{i}+1} h_{i}^{i} \cdot g_{2,F})^{r_{F}}, g^{r_{F}}, h_{t_{i}+2}^{r_{F}}, \ldots , h_{T}^{r_{F}} \right) \\&\quad = \left( g^{\alpha (\alpha ^{T + 1} + \gamma ) + \xi } \cdot (h_{0}^{2T +1}\right. \\&\qquad \left. \cdot \prod _{i=1}^{t_{i}+1} h_{i}^{i} \cdot g_{2,F})^{r_{F}}, g^{r_{F}}, h_{t_{i}+2}^{r_{F}}, \ldots , h_{T}^{r_{F}} \right) \\&\quad = \left( g^{\alpha \beta + \xi } \cdot f(t_i+1, \mathbf {h}, 0, g_{2,F})^{r_{F}}, g^{r_{F}}, h_{t_{i}+2}^{r_{F}}, \ldots , h_{T}^{r_{F}} \right) \\&\quad = {\mathtt {FSE}}.{\mathtt {Upd}}_{{\mathtt {BBG}}}(pk_F, 0,t_i+1, 0, d_{0,F}; r_F). \end{aligned}$$

  Since \(r_F\) and \(\xi \) are chosen uniformly at random, \(d_{t_i+1,F}\) is distributed as in the real IND-CPA game.

  \({\mathscr {B}}\) now proceeds to calculating the second component \(d_{T - t_i , B}\). To this end, \({\mathscr {B}}\) first generates \(d_{T - t_{L}^{*} + 1, B}\). \({\mathscr {B}}\) first picks a random \(\widetilde{r}_{B} \xleftarrow {\text {U}} {\mathbb {Z}}_p\). Let us define \(\widetilde{r}_{B} = \alpha ^{T -t_{L}^{*} + 2} - r_{B}(2T -t_{L}^{*} + 1)=\alpha ^{T -t_{L}^{*} + 2} - r_{B}\rho \), where \(\rho = 2T -t_{L}^{*} + 1\). Next, \({\mathscr {B}}\) generates \(d_{T - t_{L}^{*} + 1, B}\) as follows.

  $$\begin{aligned}&d_{T - t_{L}^{*} + 1, B} = \left( g^{\alpha ^{t_{L}^{*}\widetilde{r}_{B} }} \cdot g^{ - \widetilde{\xi }} \cdot (y_{T - t_{L}^{*} + 1})^{\frac{\gamma _{0}(2T + 1) + \delta _B + \varSigma _{i=1}^{T - t_{L}^{*} + 1} \gamma _{i}(T + i)}{2T - t_{L}^{*} + 1}}\right. \\&\qquad \qquad \cdot \left( g^{\gamma _{0}(2T + 1)} \cdot \prod _{i=1}^{T -t_{L}^{*} + 1} g^{\gamma _{i}(T + i)} \cdot g^{\delta _B}\right) ^{\frac{1}{\rho }}, \\&\qquad \qquad \left. (y_{T -t_{L}^{*}+1} \cdot g^{\widetilde{r}_{R}})^{\frac{1}{\rho }},H_2, \ldots , H_{t^*_L} \right) \end{aligned}$$

  where \(H_i = (y_{T - t_{L}^{*} + 1}^{\gamma _{T} - t^*_L + j}\cdot g^{-\gamma _{T}\widetilde{r}_{R}}\cdot y_{T-t_{L}^{*}+2}^{-1}\cdot y_{T}^{\widetilde{r}_{R}})^{\frac{1}{\rho }}\) for \(j = \{2, \ldots , t^*_L \}\).

  Here, we claim that \(d_{T - t_{L}^{*} + 1, B}\) is of the form:

  $$\begin{aligned}&d_{T - t_{L}^{*} + 1, B} = {\mathtt {FSE}}.{\mathtt {Upd}}_{{\mathtt {BBG}}}(pk_B, 0,T- t^*_L + 1, 1, d_{0,B}; r_B)\\&\quad = \left( g^{-\xi } \cdot f(T-t^*_L, 1, g_{2,B})^{r_B}, g^{r_B}, h^{r_B}_{T - t^*_L + 2}, \ldots , h^{r_B}_{T} \right) \\&\quad = \left( g^{-\xi } \cdot (h_{0}^{2T+1} \cdot \prod _{i=1}^{T -t_{L}^{*} + 1} h_{i}^{T+i} \cdot g_{2,B})^{r_{B}}, g^{r_{B}}, h_{T-t_{L}^{*}+2}^{r_{B}}, \ldots , h_{T}^{r_{B}}\right) \!, \end{aligned}$$

  which we show in the following. The first component of \(d_{T - t_{L}^{*} + 1 , B}\) is

  $$\begin{aligned}&g^{\alpha ^{t_{L}^{*}\widetilde{r}_{B} }} \cdot g^{ - \widetilde{\xi }} \cdot (y_{T - t_{L}^{*} + 1})^{\frac{\gamma _{0}(2T + 1) + \delta _B + \varSigma _{i=1}^{T - t_{L}^{*} + 1} \gamma _{i}(T + i)}{2T - t_{L}^{*} + 1}} \\&\qquad \cdot \left( g^{\gamma _{0}(2T + 1)} \cdot \prod _{i=1}^{T -t_{L}^{*} + 1} g^{\gamma _{i}(T + i)} \cdot g^{\delta _B}\right) ^{\frac{1}{\rho }}\\&\quad = g^{\alpha ^{t_{L}^{*}\{ \alpha ^{T - t_{L}^{*} + 2}-r_{B} (2T - t_{L}^{*} + 1) \} }} \cdot g^{ - \widetilde{\xi }}\\&\qquad \cdot \left( g^{\gamma _{0}(2T + 1)} \cdot \prod _{i=1}^{T -t_{L}^{*} + 1} g^{\gamma _{i}(T + i)} \cdot g^{\delta _B}\right) ^{r_{B}} \\&\quad = g^{\alpha ^{T + 2} - \widetilde{\xi }} \cdot g^{-r_{B} (2T - t_{L}^{*} + 1)\alpha ^{t_{L}^{*}}}\\&\qquad \cdot \left( g^{\gamma _{0}(2T + 1)} \cdot \prod _{i=1}^{T -t_{L}^{*} + 1} g^{\gamma _{i}(T + i)} \cdot g^{\delta _B}\right) ^{r_{B}} \\&\quad = g^{\alpha ^{T + 2} - \widetilde{\xi }}\\&\qquad \cdot \left( g^{\gamma _{0}(2T + 1)} \cdot \prod _{i=1}^{T -t_{L}^{*} + 1} g^{\gamma _{i}(T + i)} \cdot g^{\delta _B} \cdot g^{-(2T - t_{L}^{*} + 1)\alpha ^{t_{L}^{*}}}\right) ^{r_{B}} \\&\quad = g^{\alpha ^{T + 2} - \widetilde{\xi }} \cdot \left( g^{\gamma _{0}(2T + 1)} \cdot y_{T}^{-(2T + 1)}\right. \\&\qquad \left. \cdot \prod _{i=1}^{T -t_{L}^{*} + 1} (g^{\gamma _{i}} \cdot y_{T - i}^{-1})^{T + i} \cdot g^{\delta _B} \cdot y_{T}^{2T + 1} \prod _{i=1}^{T -t_{L}^{*}} y_{T}^{T + i} \right) ^{r_{B}} \\&\quad = g^{-\xi } \cdot \left( h_{0}^{2T + 1} \cdot \prod _{i=1}^{T -t_{L}^{*} + 1} h_{i}^{T + i} \cdot g_{2,B}\right) ^{r_{B}}. \end{aligned}$$

  The second component of \(d_{T - t_{L}^{*} + 1 , B}\) can be calculated as follows:

  $$\begin{aligned} (y_{T -t_{L}^{*}+1} \cdot g^{\widetilde{r}_{R}})^{\frac{1}{\rho }} = g^{\frac{\alpha ^{T -t_{L}^{*} +2}-\widetilde{r}_{R}}{\rho }} = g^{r_{B}}. \end{aligned}$$

  The third component of \(d_{T - t_{L}^{*} + 1 , B}\) can be calculated as follows:

  $$\begin{aligned}&(y_{T -t_{L}^{*} + 1}^{\gamma _{T - t_{L}^{*} + 2}} \cdot y_{T}^{-1} \cdot g^{-\widetilde{r}_{R} \cdot \gamma _{T - t_{L}^{*} + 2}}\cdot \\&\quad y_{t_{L}^{*} - 2}^{\widetilde{r}_{R}})^{\frac{1}{\rho }} = g^{(\gamma _{T - t_{L}^{*} + 2} - \alpha ^{t_{L}^{*} - 1})r_{B}} = h_{T - t_{L}^{*} + 2}^{r_{B}}. \end{aligned}$$

  The remaining components \(h_{T - t_{L}^{*} + 3}^{r_{B}}, \ldots , h_{T }^{r_{B}}\) can be computed by \({\mathscr {B}}\) since they do not involve the value \(g^{\alpha ^{T+2}}\).

  Therefore, the component \(d_{T - t_{L}^{*} + 1 , B}\) is of the valid form. Furthermore, since \(r_B\) is uniformly distirbuted over \({\mathbb {Z}}_p\), so is \(\widetilde{r}_B\).

  Then, \({\mathscr {B}}\) derives \(d_{T - t_i, B}\) from \(d_{T-t^*_L+1}\) by executing \({\mathtt {FSE}}.{\mathtt {Upd}}_{{\mathtt {BBG}}}(pk_{B},T - t^*_L + 1, T-t_i, d_{T-t^*_{L} +1})\). Note that the distribution of \(d_{T-t_i,B}\) obtained here is also properly distributed as that computed by executing \({\mathtt {FSE}}.{\mathtt {Upd}}_{{\mathtt {BBG}}}(pk_B, 0, T-t_i, 1, d_{0,B})\), because in the BBG HIBE scheme, a decryption key derived directly from a master secret key and the key derived from some parent nodes in the hierarchy are exactly the same, and this property is taken over by \({\mathtt {FSE}}.{\mathtt {Upd}}_{{\mathtt {BBG}}}\) in our scheme.

  \({\mathscr {B}}\) finally sets \(SK_{t_i} \leftarrow (d_{t_i,F}, d_{T - t_i -1, B})\), and gives the TIK \(SK_{t_i}\) to \({\mathscr {A}}\).

• Otherwise (i.e., \(t_i > t_R^{*}\)): First, \({\mathscr {B}}\) generates \(d_{T-t_i,B}\) by picking random \( r_{B} , \xi \xleftarrow {\text {U}} {\mathbb {Z}}_p\), setting \(d_{0,B} \leftarrow g^{-\xi }\), and then computing as follows:

  $$\begin{aligned} d_{T -t_i ,B} = {\mathtt {FSE}}.{\mathtt {Upd}}_{{\mathtt {BBG}}}(pk_B, 0, T-t_i, 1, d_{0,B}; r_B), \end{aligned}$$

  which by definition is identically distributed to this component in the real IND-CPA game.

  Next, \({\mathscr {B}}\) proceeds to computing \(d_{t_i+1, F}\). To this end, \({\mathscr {B}}\) first generates \(d_{t_R^{*} + 2 , F}\). \({\mathscr {B}}\) picks a random \(\widetilde{r}_{F} \xleftarrow {\text {U}} {\mathbb {Z}}_p\). We pose \(\widetilde{r}_{F} = \alpha ^{t_R^{*} + 3} - r_{L}(t_{R}^{*} + 2)\). Next, \({\mathscr {B}}\) generates the secret key \(d_{t_R^{*} + 2 , F}\) as follows.

  $$\begin{aligned}&d_{t_R^{*} + 2 , F} = \left( y_0^{\gamma } \cdot g^{\xi } \cdot y_{T - t_R^{*} - 2}^{\widetilde{r}_{F}} \cdot (y_{t^*_R + 2})^{\frac{\gamma _{0}(2T + 1) + \delta _{F} + \varSigma _{i}^{t^*_R + 2} \gamma _{i}i}{t^*_R + 2}}\right. \\&\quad \left. \cdot g^{\frac{\widetilde{r}_{F}(\gamma _{0}(2T + 1) + \delta _{F} + \varSigma _{i}^{t^*_R + 2} \gamma _{i}i)}{t^*_{R} + 2}}, ( y_{t^*_R + 2}\cdot g^{-\widetilde{r}_{F}})^{\frac{1}{t_R^{*} + 2}}, H'_{t^*_R+3}, \ldots , H'_T \right) \!, \end{aligned}$$

  where \(H'_j = ( (y_{t_R^* + 2})^{\gamma _{t^*_R + j}} \cdot g^{\gamma _{t^*_R + j} \widetilde{r}_{F}} \cdot y_{T + 3 - j}^{-1} \cdot y_{T-t^*_R - j}^{\widetilde{r}_{F}})^{\frac{1}{t_R^{*} + 2}}\) for \(j \in \{3,\ldots , T- t^*_R\}\).

  We claim that the above value \(d_{t^*_R+2, F}\) is distributed identically to the value generated by running \({\mathtt {FSE}}.{\mathtt {Upd}}_{{\mathtt {BBG}}}(pk_F,0,t^*_R+2, 0, d_{F,0})\). To see this, observe that the first component of \(d_{t_R^{*} + 2 , F}\) can be further calculated as follows:

  $$\begin{aligned}&y_0^{\gamma } \cdot g^{\xi } \cdot y_{T - t_R^{*} - 2}^{\widetilde{r}_{F}} \cdot y_{t_R^{*} + 2}^{\frac{\gamma _{0}(2T + 1) + \delta _{F} + \varSigma _{i}^{t_R^{*} + 2} \gamma _{i}i}{t_R^{*} + 2}} \cdot g^{\frac{\widetilde{r}_{F}(\gamma _{0}(2T + 1) + \delta _{F} + \varSigma _{i}^{t_R^{*} + 2} \gamma _{i}i)}{t_{R}^{*} + 2}}\\&\quad = g^{\alpha \gamma + \xi } \cdot g^{\alpha ^{T - t_{R}^{*} - 1} \widetilde{r}_{F} } \left( g^{\gamma _{0}(2T + 1) + \delta _{F}} \cdot \prod _{i=1}^{t_{R}^{*}+2} (g^{\gamma _i})^{i} \right) ^{\frac{\alpha ^{t_R^{*} + 3} - \widetilde{r}_{F}}{t_{R}^{*} + 2}} \\&\quad = g^{\alpha \gamma + \xi } \cdot g^{\alpha ^{T + 2}} \cdot g^{-r_{F} (t_R^{*} + 2) \alpha ^{T - t_R^{*} - 1}}\left( g^{\gamma _{0}(2T + 1) + \delta _{F}} \cdot \prod _{i=1}^{t_{R}^{*}+2} (g^{\gamma _i})^{i} \right) ^{r_{F}} \\&\quad = g^{\alpha ^{T + 2}}\cdot g^{\alpha \gamma + \xi } \left( g^{\gamma _{0}(2T + 1) + \delta _{F}} \cdot \prod _{i=1}^{t_{R}^{*}+2} (g^{\gamma _i})^{i} \cdot y_{T - t_{R}^{*} - 2}^{-(t_R^{*} + 2)}\right) ^{r_{F}} \\&\quad = g^{\alpha ^{T + 2}}\cdot g^{\alpha \gamma + \xi } \left( g^{\gamma _{0}(2T + 1)} \cdot y_{T}^{-(2T + 1)} \cdot \prod _{i=1}^{t_{R}^{*}+2} \left( g^{\gamma _i}\cdot y_{T - i}^{-1}\right) ^{i} \cdot g^{\delta _{F}}\right. \\&\qquad \cdot \left. y_{T}^{2T + 1} \cdot \prod _{i=1}^{t_{R}^{*}+1} y_{T - i}^{i}\right) ^{r_{F}} \\&\quad = g^{\alpha (\alpha ^{T + 1} + \gamma ) + \xi } \cdot \left( h_{0}^{2T +1} \cdot \prod _{i=1}^{t_R^{*} + 2} h_{i}^{i} \cdot g_{2,F}\right) ^{r_{F}}. \end{aligned}$$

  \({\mathscr {B}}\) can also compute the remaining components \(g^{r_{F}}, h_{t_{R}^{*} + 3}^{r_{B}}, \ldots , h_{T }^{r_{B}}\), since they do not involve a \(g^{\alpha ^{T+2}}\) term. Therefore, the value \(d_{t_R^{*} + 2 , F}\) is distributed identically to that generated by \({\mathtt {FSE}}.{\mathtt {Upd}}_{{\mathtt {BBG}}}(pk_F, 0, t^*_R + 2, 0, d_{0,F})\).

  \({\mathscr {B}}\) now derives \(d_{t_i+1, F}\) from \(d_{t^*_R + 2, F}\) by running \({\mathtt {FSE}}.{\mathtt {Upd}}_{{\mathtt {BBG}}}(pk_F,t^*_R + 2, t_i + 1, 0, d_{t^*_R +2, F})\). This component \(d_{t_i+1, F}\) is also distributed identically to the value generated from \({\mathtt {FSE}}.{\mathtt {Upd}}_{{\mathtt {BBG}}}(pk_F, 0, t_i +1, d_{0,F})\), because of the property of the secret-key extraction algorithm of the BBG HIBE scheme as explanined above.

  \({\mathscr {B}}\) finally sets \(SK_{t_i} \leftarrow ( d_{t_i + 1,F}, d_{T - t_i , B})\), and gives the TIK \(SK_{t_i}\) to \({\mathscr {A}}\).

Challenge When \({\mathscr {A}}\) decides that Phase 1 is over, it outputs the challenge plaintexts \(M_0,M_1 \in MSP\). \({\mathscr {B}}\) picks a random bit \(b \xleftarrow {\text {U}} \{0,1\}\), and computes the challenge ciphertext by

$$\begin{aligned}&C^* = \Big (W \cdot e(y_0 , h^{\gamma }) \cdot M_b , h, h^{\delta _F + \varSigma _{i = 1}^{t_R^* + 1} \gamma _i },\\&\quad h^{\delta _B + \varSigma _{i=1}^{T - t_{L}^{*}} \gamma _i}, [t_{L}^{*} , t_R^{*}] \Big ), \end{aligned}$$

and gives it to \({\mathscr {A}}\). Let \(s = \log _g h\). Observe that if \(W=e(g,h)^{\alpha ^{T +2}}\), and then \(C^*\) is of the following form:

$$\begin{aligned}&C^* = \left( W \cdot e(y_0 , h^{\gamma }) \cdot M_b , h , h^{\delta _F + \varSigma _{i = 1}^{t_R^* + 1} \gamma _i }, h^{\delta _B + \varSigma _{i=1}^{T - t_{L}^{*}} \gamma _i},~[t_{L}^{*} , t_R^{*}] \right) \\&\quad = \left( e(g,g)^{\alpha ^{(T + 2)}s} \cdot e(g,g)^{\alpha \gamma s} \cdot M_b , g^s , \left( g^{\delta _F} \cdot \prod _{i=1}^{t_R^* + 1} g^{\gamma _i}\right) ^s, \right. \\&\qquad \left. \times \left( g^{\delta _B} \cdot \prod _{j=1}^{T - t_{L}^* } g^{\gamma _j}\right) ^s , [t_{L}^{*} , t_R^{*}] \right) \\&\quad = \left( e(g,g)^{\alpha s ( \alpha ^{T + 1} + \gamma ) } \cdot M_b, g^s,\right. \\&\qquad \times \left( h_{0}^{2T + 1} \cdot \prod _{i=1}^{t_R^* + 1} (g^{\gamma _i} \cdot y_{T - i}^{-1})^i \cdot g^{\delta _F} \cdot y_{T}^{2T + 1} \prod _{i=1}^{t_R^* + 1} y_{T - i}^{i}\right) ^s, \\&\qquad \left. \times \left( h_{0}^{2T + 1} \cdot \prod _{j=1}^{T - t_{L}^* } (g^{\gamma _j} \cdot y_{T - j}^{-1})^{T + j} \cdot g^{\delta _B} \cdot y_{T}^{2T + 1}\right. \right. \\&\qquad \left. \left. \cdot \prod _{j=1}^{T - t_{L}^* } (y_{T - j})^{T + j}\right) ^s, [t_{L}^{*} , t_R^{*}] \right) \\&\quad = \left( P^s \cdot M_b, g^s, \left( h_{0}^{2T + 1} \cdot \prod _{i=1}^{t_R^* + 1} h_i^{i} \cdot g_{2,F}\right) ^s,\right. \\&\qquad \left. \left( h_{0}^{2T + 1} \cdot \prod _{j=1}^{T - t_{L}^* } h_j^{j} \cdot g_{2,B}\right) ^s, [t_{L}^{*} , t_R^{*}]\right) \\&\quad = {\mathtt {TSE}}.{\mathtt {Enc}}(MPK, [t^*_L, t^*_R], M_b; s). \end{aligned}$$

Then, from the above equation, since the information on h and W has been hidden until this point, \(C^*\) is distributed identically to the challenge ciphertext in the real IND-CPA game. On the other hand, if W is a random value in \({\mathbb {G}}_T\), then the information on b is information-theoretically hidden from \({\mathscr {A}}\)’s view.

Phase 2 \({\mathscr {B}}\) responds to \({\mathscr {A}}\)’s TIK queries as in Phase 1.

Guess Finally, \({\mathscr {A}}\) outputs its guess \(b' \in \{ 0,1 \}\). If \(b=b'\), \({\mathscr {B}}\) outputs \(\eta ' \leftarrow 1\); otherwise, \({\mathscr {B}}\) outputs \(\eta ' \leftarrow 0\) and terminates.

The above completes the description of \({\mathscr {B}}\). Note that \({\mathscr {B}}\) outputs 1 if and only if \({\mathscr {A}}\) succeeds in guessing the bit b. When \(W = e(g,h)^{\alpha ^{T +2}}\), then \({\mathscr {B}}\) perfectly simulates the IND-CPA game for \({\mathscr {A}}\) in which the challenge bit is b. Therefore, we have \(\Pr [\eta ' = 1 | W = e(g,h)^{\alpha ^{T+2}}] = Adv_{TSE,{\mathscr {A}}}^{CPA}(k) + \frac{1}{2} \). If \(\eta = 0\), \({\mathscr {A}}\) is unable to get the infromation on the bit b. Therefore, \(\Pr [\eta ' = 1 | W~{\text {is random}}] = \frac{1}{2}\). \({\mathscr {B}}\)’s advantage in solving the decisional \((T + 2)\hbox {-wBDHI}^*\) assumtion can be estimated as follows:

$$\begin{aligned}&|\Pr [\eta ' = 1 | W = e(g,h)^{\alpha ^{T+2}}] - \Pr [\eta ' = 1 | W~{\text {is random}}]|\\&\quad = |Adv_{TSE,{\mathscr {A}}}^{CPA}(k) + \frac{1}{2} - \frac{1}{2}| \\&\quad = Adv_{TSE,{\mathscr {A}}}^{CPA}(k). \end{aligned}$$

If \(Adv_{TSE,A}^{IND-CPA}\) is not negligible, \({\mathscr {B}}\) has non-negligible advantage in solving the (\(T+1\))-decision wBDHI problem in \({\mathbb {G}}\). This contradicts the decisional \((T+1)\)-wBDHI assumption. Therefore, for all PPT adversaries \({\mathscr {A}}\), the IND-CPA advantage is negligible. This completes the proof of Theorem 3. \(\square \)

Appendix 3: Proof of Theorem 3

Proof

Fix \(T = 2^{\lambda }\) arbitrarily such that T is polynomial in the security parameter k, and let \({\mathtt {DTISet}}\) be the set of all possible DTIs \([t_{L}, t_R]\) with \(0 \le t_{L} \le t_R \le T-1\). Note that \(|{\mathtt {DTISet}}| = T(T+1)/2\), and thus there are at most polynomially many possible DTI’s. \(\square \)

Recall that for each \([t_{L}, t_R] \in {\mathtt {DTISet}}\), \(v_{L} \leftarrow \min \{v \in {\mathtt {LEFT}}: \widetilde{r}_v \in [t_{L}, t_R]\}\) \(v_R \leftarrow \min \{v \in {\mathtt {RIGHT}}: \widetilde{\ell }_v \in [t_{L}, t_R]\}\). We classify each \([t_{L}, t_R] \in {\mathtt {DTISet}}\) into one of the following four types according to \(v_{L}\) and \(v_R\):

• \({\mathtt {Type}}_1\): \({\mathsf {depth}}(v_{L}) = {\mathsf {depth}}(v_R) \wedge v_L \not = 0\)

• \({\mathtt {Type}}_2\): \({\mathsf {depth}}(v_{L}) < {\mathsf {depth}}(v_R)\)

• \({\mathtt {Type}}_3\): \({\mathsf {depth}}(v_{L}) > {\mathsf {depth}}(v_R)\)

• \({\mathtt {Type}}_4\): \({\mathsf {depth}}(v_{L}) = {\mathsf {depth}}(v_R) \wedge v_L = 0\)

These types are mutually exclusive, i.e., \({\mathtt {Type}}_i \cap {\mathtt {Type}}_j = \emptyset \) for \(i \ne j\), and cover the entire set \({\mathtt {DTISet}}\), i.e., \(\bigcup _{i \in \{1,2,3,4\}} {\mathtt {Type}}_i = {\mathtt {DTISet}}\).

Now, let \({\mathscr {A}}\) be an arbitrary IND-CPA adversary against our TSE scheme. We consider the following two games.

• Game 1 The IND-CPA game regarding our proposed TSE scheme.

• Game 2 Same as Game 1 with the following exception: If the challenge DTI \([t_{L}^*,t_{R}^*]\) used by \({\mathscr {A}}\) is of \({\mathtt {Type}}_1\), then \(c_{L}^*\) is replaced with an encryption of all-zero string \(0^{|m_0|}\).

For \(i \in \{1,2\}\), let \({\mathsf {Succ}}^{(i)}\) be the event that \({\mathscr {A}}\) succeeds in guessing the challenge bit (i.e., \(b' = b\) occurs) in Game i, and let \({\mathsf {T}}_{[t_{L},t_R]}^{(i)}\) be the event that \({\mathscr {A}}\) uses \([t_{L}, t_R]\) as the challenge DTI in Game i.

Since each event \({\mathsf {T}}_{[t_{L}, t_R]}^{(i)}\) is mutually exclusive, \({\mathscr {A}}\)’s advantage can be estimated as follows:

$$\begin{aligned}&Adv_{TSE,{\mathscr {A}}}^{CPA} = |\Pr [{\mathsf {Succ}}^{(1)}] - \frac{1}{2}| \nonumber \\&\quad = | \sum _{[t_{L},t_R] \in {\mathtt {DTISet}}}\Pr [{\mathsf {Succ}}^{(1)}\wedge {\mathsf {T}}_{[t_{L},t_R]}^{(1)}] - \frac{1}{2}| \nonumber \\&\quad = | \sum _{[t_{L},t_R] \in {\mathtt {DTISet}}}\Pr [{\mathsf {Succ}}^{(1)}\wedge {\mathsf {T}}_{[t_{L},t_R]}^{(1)}]\nonumber \\&\quad \quad - \frac{1}{2}\sum _{[t_{L},t_R] \in {\mathtt {DTISet}}}(1 - \Pr [\overline{{\mathsf {T}}_{[t_{L},t_R]}^{(1)}}])| \nonumber \\&\quad \le \sum _{[t_{L},t_R] \in {\mathtt {DTISet}}}| \Pr [{\mathsf {Succ}}^{(1)}\wedge {\mathsf {T}}_{[t_{L},t_R]}^{(1)}] + \frac{1}{2}\Pr [\overline{{\mathsf {T}}_{[t_{L},t_R]}^{(1)}}]-\frac{1}{2}|\nonumber \\ \end{aligned}$$

(1)

For each \([t_{L},t_R] \in {\mathtt {DTISet}}\), let us denote by \(Adv_{[t_{L},t_R]}^{(i)}\) each of the terms in the summation in the Eq. (1) in Game i. Namely,

$$\begin{aligned} Adv_{[t_{L},t_R]}^{(i)} = |\Pr [{\mathsf {Succ}}^{(i)}\wedge {\mathsf {T}}_{[t_{L},t_R]}^{(i)}] + \frac{1}{2}\Pr [\overline{{\mathsf {T}}_{[t_{L},t_R]}^{(i)}}] - \frac{1}{2}|\nonumber \\ \end{aligned}$$

(2)

To show that every term in the Eq. (1) is negligible, we will show the following four lemmas.

Lemma 1

\(\forall ~[t_{L},t_R]\in {\mathtt {Type}}_1\), \(Adv_{[t_{L},t_R]}^{(1)}\) is negligible.

Lemma 2

\(\forall ~[t_{L},t_R]\in {\mathtt {Type}}_2\), \(Adv_{[t_{L},t_R]}^{(1)}\) is negligible.

Lemma 3

\(\forall ~[t_{L},t_R]\in {\mathtt {Type}}_3\), \(Adv_{[t_{L},t_R]}^{(1)}\) is negligible.

Lemma 4

\(\forall ~[t_{L},t_R]\in {\mathtt {Type}}_4\), \(Adv_{[t_{L},t_R]}^{(1)}\) is negligible.

Proof of Lemma 1

Fix arbitrarily \([t_{L}, t_R] \in {\mathtt {Type}}_1\). With a simple calculation using the triangle inequality, we have:

$$\begin{aligned} Adv_{[t_{L},t_R]}^{(1)}&= | \Pr [{\mathsf {Succ}}^{(1)}\wedge {\mathsf {T}}_{[t_{L},t_R]}^{(1)}] + \frac{1}{2}\Pr [\overline{{\mathsf {T}}_{[t_{L},t_R]}^{(1)}}]-\frac{1}{2}| \nonumber \\&\le |\Pr [{\mathsf {Succ}}^{(1)}\wedge {\mathsf {T}}_{[t_{L},t_R]}^{(1)}] - \Pr [{\mathsf {Succ}}^{(2)}\wedge {\mathsf {T}}_{[t_{L},t_R]}^{(2)}] |\nonumber \\&\quad + \frac{1}{2}\cdot |\Pr [\overline{{\mathsf {T}}_{[t_{L},t_R]}^{(1)}}] - \Pr [\overline{{\mathsf {T}}_{[t_{L},t_R]}^{(2)}}]|\nonumber \\&\quad + | \Pr [{\mathsf {Succ}}^{(2)}\wedge {\mathsf {T}}_{[t_{L},t_R]}^{(2)}] + \frac{1}{2}\Pr [\overline{{\mathsf {T}}_{[t_{L},t_R]}^{(2)}}] -\frac{1}{2}| \end{aligned}$$

(3)

Below we will show the upper bound of each term in the right-hand side of the above inequality. \(\square \)

Claim 1

\(\Pr [\overline{{\mathsf {T}}_{[t_{L},t_R]}^{(1)}}] = \Pr [\overline{{\mathsf {T}}_{[t_{L},t_R]}^{(2)}}]|\)

Proof of Claim 1

Note that by definition, Game 1 and Game 2 are identical before the challenge. Therefore, the probability of the event \(\overline{{\mathsf {T}}_{[t_{L},t_R]}^{(1)}}\) occurring in Game 1 must be the identical to the probability of the event \(\overline{{\mathsf {T}}_{[t_{L},t_R]}^{(2)}}\) occurring in Game 2. \(\square \)

Claim 2

There exists an efficient adversary \({\mathscr {B}}\) such that \(Adv^{CPA}_{PTSE,{\mathscr {B}}} = \frac{1}{2}|\Pr [{\mathsf {Succ}}^{(1)}\wedge {\mathsf {T}}_{[t_{L},t_R]}^{(1)}] - \Pr [{\mathsf {Succ}}^{(2)}\wedge {\mathsf {T}}_{[t_{L},t_R]}^{(2)}] |\).

Proof of Claim 2

We show how to construct an adversary \({\mathscr {B}}\) that has the claimed IND-CPA advantage against the building block PTSE scheme. \({\mathscr {B}}\) attacks the PTSE scheme in which the total number of time units is \(T'=|S_{v_{L}}|\). The description of \({\mathscr {B}}\) is as follows:

1. 1.

   \({\mathscr {B}}\) initially receives \(mpk'\) from the challenger, which is generated by \((mpk', msk') \leftarrow {\mathtt {PTSE}}.{\mathtt {Setup}}(1^k, T')\) where \(T' = |S_{v_{L}}|\), and generates the parameter MPK for \({\mathscr {A}}\) as follows:

   1. (a)

      \((mpk_v,msk_v) \leftarrow {\mathtt {PTSE}}.{\mathtt {Setup}}(1^k, |S_v|)\) for every

      \(v \in {\mathtt {LEFT}}\setminus \{v_{L}\}\).

   2. (b)

      \((mpk_v,msk_v) \leftarrow {\mathtt {FTSE}}.{\mathtt {Setup}}(1^k, |S_v|)\) for every \(v \in {\mathtt {RIGHT}}\).

   3. (c)

      \(mpk_{v_{L}}\leftarrow mpk'\), \(MPK \leftarrow \{mpk_v\}_{v \in {\mathtt {INT}}}\), and

      \(MSK \leftarrow \{msk_v\}_{v \in {\mathtt {INT}}\setminus \{v_{L}\}}\).

   4. (d)

      Give MPK to \({\mathscr {A}}\).

2. 2.

   When \({\mathscr {A}}\) makes a TIK extraction query \(t_i\), \({\mathscr {B}}\) responds as follows:

   1. (a)

      If \(t_i \in [t_{L},t_R]\), then give up the simulation and output 1.

   2. (b)

      \(sk^{(v)}_{\le t_i - \widetilde{\ell }_v} \leftarrow {\mathtt {PTSE}}.{\mathtt {Ext}}(msk_v, t_i- \widetilde{\ell }_v)\) for every

      \(v \in {\mathtt {LEFT}}\cap {\mathtt {NODES}}(t_i)\setminus \{v_{L}\}\).

   3. (c)

      \(sk^{(v)}_{\ge t_i - \widetilde{\ell }_v} \leftarrow {\mathtt {FTSE}}.{\mathtt {Ext}}(msk_v, t_i-\widetilde{\ell }_v)\) for every

      \(v \in {\mathtt {RIGHT}}\cap {\mathtt {NODES}}(t_i)\).

   4. (d)

      If \(v_{L}\in {\mathtt {NODES}}(t_i) \), then submit a TIK extraction query \(t_i- \widetilde{\ell }_{v_{L}}\) (of the PTSE) to \({\mathscr {B}}\)’s challenger, receive \(sk_{\le {t_i} - \widetilde{\ell }_{v_{L}}}\) as a response, and use it as \(sk^{(v_{L})}_{\le t_i - \widetilde{\ell }_{v_{L}}}\).

   5. (e)

      \(SK_{t_i, L} \leftarrow \{sk^{(v)}_{\le t_i - \widetilde{\ell }_v}\}_{v \in {\mathtt {LEFT}}\cap {\mathtt {NODES}}(t_i)}\) and

      \(SK_{t_i, R} \leftarrow \{sk^{(v)}_{\ge t_i - \widetilde{\ell }_v}\}_{v \in {\mathtt {RIGHT}}\cap {\mathtt {NODES}}(t_i)}\).

   6. (f)

      Return \(SK_{t_i} \leftarrow (t_i, SK_{t_i, L}, SK_{t_i, R})\) to \({\mathscr {A}}\).

3. 3.

   When \({\mathscr {A}}\) submits the challenge \((m_0,m_1,[t_{L}^*,t_{R}^*])\), \({\mathscr {B}}\) responds as follows:

   1. (a)

      If \([t_{L}^*,t_{R}^*] \not = [t_{L},t_{R}]\), then give up the simulation and output 1.

   2. (b)

      Pick a fair coin \(\beta \in \{0,1\}\), and set \(m'_0 \leftarrow m_{\beta }\) and \(m'_1 \leftarrow 0^{|m_0|}\).

   3. (c)

      Submit (\(M'_0, M_1',t_{L}^* - \widetilde{\ell }_{v_{L}} \)), and receive the challenge ciphertext \(c_{L}^*\).

   4. (d)

      \(c_{R}^* \leftarrow {\mathtt {FTSE}}.{\mathtt {Enc}}(mpk_{v_R}, t_{R}^* - \widetilde{\ell }_{v_R}, M_\beta )\).

   5. (e)

      Give \(C^* \leftarrow ([t_{L}^*,t_{R}^*],c_{L}^*,c_{R}^* )\) to \({\mathscr {A}}\) as \({\mathscr {A}}\)’s challenge ciphertext.

4. 4.

   \({\mathscr {B}}\) responds to \({\mathscr {A}}\)’s TIK extraction queries in exactly the same way as above.

5. 5.

   When \({\mathscr {A}}\) terminates with output \(\beta '\), \({\mathscr {B}}\) sets \(b' \leftarrow 0\), otherwise sets \(b' \leftarrow 1\), and terminates with output \(b'\) as the guess for the challenge bit.

The above completes the description of \({\mathscr {B}}\). Let \({\mathsf {T}}^{{\mathscr {B}}}_{[t_{L}, t_R]}\) be the event that in \({\mathscr {B}}\)’s IND-CPA game (regarding the PTSE scheme), it holds that \([t^*_{L}, t^*_R] = [t_{L}, t_R]\) (i.e., \({\mathscr {A}}\)’s challenge DTI is \([t_{L}, t_R]\)). Note that \({\mathscr {B}}\) outputs 0 only when \({\mathsf {T}}^{{\mathscr {B}}}_{[t_{L}, t_R]}\) and \(\beta ' = \beta \) occur.

\({\mathscr {B}}\)’s IND-CPA advantage can be estimated as follows:

$$\begin{aligned} Adv^{CPA}_{PTSE,{\mathscr {B}}}&= |\Pr [b' = b ] - \frac{1}{2}| \\&= \frac{1}{2}| \Pr [\beta ' = \beta \wedge {\mathsf {T}}^{{\mathscr {B}}}_{[t_{L}, t_R]} | b = 0]\\&\quad \, -\, \Pr [\beta ' = \beta \wedge {\mathsf {T}}^{{\mathscr {B}}}_{[t_{L}, t_R]} | b = 1]| \end{aligned}$$

Notice that when \({\mathsf {T}}^{{\mathscr {B}}}_{[t_{L}, t_R]}\) occurs, \({\mathscr {B}}\) simulates Game 1 and Game 2 perfectly for \({\mathscr {A}}\) (note that these games are identical before the challenge). Therefore, we have \(\Pr [{\mathsf {T}}^{{\mathscr {B}}}_{[t_{L}, t_R]}] = \Pr [{\mathsf {T}}^{(1)}_{[t_{L}, t_R]}] = \Pr [{\mathsf {T}}^{(2)}_{[t_{L}, t_R]}]\). Furthermore, once \({\mathsf {T}}^{{\mathscr {B}}}_{[t_{L}, t_R]}\) occurs and \(b=0\), the challenge ciphertext for \({\mathscr {A}}\) is generated in such a way that it is distributed identically to that of Game 1 in which the challenge bit for \({\mathscr {A}}\) is \(\beta \). Therefore, we have \(\Pr [\beta ' = \beta \wedge {\mathsf {T}}^{{\mathscr {B}}}_{[t_{L}, t_R]} | b=0] = \Pr [{\mathsf {Succ}}^{(1)} \wedge {\mathsf {T}}^{(1)}_{[t_{L}, t_R]}]\). A similar argument for the case \(b=1\) shows that \(\Pr [\beta ' = \beta \wedge {\mathsf {T}}^{{\mathscr {B}}}_{[t_{L}, t_R]} | b= 1] = \Pr [{\mathsf {Succ}}^{(2)} \wedge {\mathsf {T}}^{(2)}_{[t_{L}, t_R]}]\). In summary, we have

$$\begin{aligned}&Adv^{CPA}_{PTSE,{\mathscr {B}}} = \frac{1}{2}|\Pr [{\mathsf {Succ}}^{(1)} \wedge {\mathsf {T}}^{(1)}_{[t_{L}, t_R]}]\\&\quad \quad -\, \Pr [{\mathsf {Succ}}^{(2)} \wedge {\mathsf {T}}^{(2)}_{[t_{L}, t_R]}]| \end{aligned}$$

which completes the proof of Claim 2. \(\square \)

Claim 3

There exists an efficient adversary \({\mathscr {D}}\) such that \(Adv^{CPA}_{FTSE,{\mathscr {D}}} = Adv^{(2)}_{[t_{L}, t_R]}\).

Proof of Claim 3

We show how to construct an adversary \({\mathscr {D}}\) that has the claimed IND-CPA advantage against the building block FTSE scheme. \({\mathscr {D}}\) attacks the FTSE scheme in which the total number of time units is \(T'=|S_{v_R}|\). The description of \({\mathscr {D}}\) is as follows:

1. 1.

   \({\mathscr {D}}\) is given \(mpk'\) from the challenger, which is generated by \((mpk',msk') \leftarrow {\mathtt {FTSE}}.{\mathtt {Setup}}(1^k,T')\) where \(T' = |S_{v_R}|\), and generates the parameter MPK for \({\mathscr {A}}\) as follows:

   1. (a)

      \((mpk_v, msk_v) \leftarrow {\mathtt {PTSE}}.{\mathtt {Setup}}(1^k, |S_v|)\) for every \(v \in {\mathtt {LEFT}}\).

   2. (b)

      \((mpk_v,msk_v) \leftarrow {\mathtt {FTSE}}.{\mathtt {Setup}}(1^k, |S_v|))\) for every \(v \in {\mathtt {RIGHT}}\setminus \{v_R\}\).

   3. (c)

      \(mpk_{v_R}\leftarrow mpk'\), \(MPK \leftarrow \{mpk_v\}_{v \in {\mathtt {INT}}}\), and \(MSK \leftarrow \{msk_v\}_{v \in {\mathtt {INT}}\setminus \{v_R\}}\).

   4. (d)

      Give MPK to \({\mathscr {A}}\).

2. 2.

   When \({\mathscr {A}}\) submits a TIK extraction query \(t_i\), \({\mathscr {D}}\) responds as follows:

   1. (a)

      If \(t_i \in [t_{L},t_R]\) then give up the simulation and output a random bit.

   2. (b)

      \(sk^{(v)}_{\le t_i - \widetilde{\ell }_v} \leftarrow {\mathtt {PTSE}}.{\mathtt {Ext}}(msk_v, t_i- \widetilde{\ell }_v)\) for every \(v \in {\mathtt {LEFT}}\cap {\mathtt {NODES}}(t_i)\).

   3. (c)

      \(sk^{(v)}_{\ge t_i - \widetilde{\ell }_v} \leftarrow {\mathtt {FTSE}}.{\mathtt {Ext}}(msk_v, t_i-\widetilde{\ell }_v)\) for every \(v \in {\mathtt {RIGHT}}\cap {\mathtt {NODES}}(t_i)\setminus \{v_R\}\).

   4. (d)

      If \(v_R\in {\mathtt {NODES}}(t_i)\) then submit a TIK extraction query \(t_i- \widetilde{\ell }_{v_R}\) (of the FTSE) to \({\mathscr {D}}\)’s challenger, receive \(sk_{\ge {t_i} - \widetilde{\ell }_{v_R}}\) as a response, and use it as \(sk^{(v_R)}_{\ge t_i - \widetilde{\ell }_{v_R}}\).

   5. (e)

      \(SK_{t_i, L} \leftarrow \{sk^{(v)}_{\le t_i - \widetilde{\ell }_v}\}_{v \in {\mathtt {LEFT}}\cap {\mathtt {NODES}}(t_i)}\) and \(SK_{t_i, R} \leftarrow \{sk^{(v)}_{\ge t_i - \widetilde{\ell }_v}\}_{v \in {\mathtt {RIGHT}}\cap {\mathtt {NODES}}(t_i)}\).

   6. (f)

      Return \(SK_{t_i} \leftarrow (t_i, SK_{t_i, L}, SK_{t_i, R})\) to \({\mathscr {A}}\).

3. 3.

   When \({\mathscr {A}}\) submits the challenge \((m_0,m_1,[t_{L}^*,t_{R}^*])\), \({\mathscr {D}}\) responds as follows:

   1. (a)

      If \([t_{L}^*,t_{R}^*] \not = [t_{L},t_{R}]\) then give up the simulation and output a random bit.

   2. (b)

      Submit (\(m_0,m_1,t_{R}^* - \widetilde{\ell }_{v_R}\)) to \({\mathscr {D}}\)’s challenger, and receive the challenge ciphertext \(c_{R}^*\).

   3. (c)

      \(c_{L}^* \leftarrow {\mathtt {PTSE}}.{\mathtt {Enc}}(mpk_{v_{L}}, t_{L}^* - \widetilde{\ell }_{v_{L}}, 0^{|m_0|})\).

   4. (d)

      Give \(C^* \leftarrow ([t_{L}^*,t_{R}^*],c_{L}^*,c_{R}^* )\) to \({\mathscr {A}}\) as \({\mathscr {A}}\)’s challenge ciphertext.

4. 4.

   \({\mathscr {D}}\) responds to \({\mathscr {A}}\)’s TIK extraction queries in exactly the same way as above.

5. 5.

   When \({\mathscr {A}}\) terminates with output \(b'\), \({\mathscr {D}}\) outputs this \(b'\) as its guess for the challenge bit and terminates.

The above completes the description of \({\mathscr {D}}\).

Let \({\mathsf {Succ}}^D\) be the event that \({\mathscr {D}}\) succeeds in guessing \({\mathscr {D}}\)’s challenge bit, and \({\mathsf {T}}^{{\mathscr {D}}}_{[t_{L}, t_R]}\) be the event that in \({\mathscr {D}}\)’s IND-CPA game (regarding the FTSE scheme), it holds that \([t^*_{L}, t^*_R] = [t_{L}, t_R]\) (i.e., \({\mathscr {A}}\) uses \([t_{L}, t_R]\) as the challenge DTI). Then, it is not hard to see that \(\Pr [{\mathsf {T}}^{{\mathscr {D}}}_{[t_{L}, t_R]}] = \Pr [{\mathsf {T}}^{(2)}_{[t_{L}, t_R]}]\) and \(\Pr [{\mathsf {Succ}}^{{\mathscr {D}}} \wedge {\mathsf {T}}^{{\mathscr {D}}}_{[t_{L}, t_R]}] = \Pr [{\mathsf {Succ}}^{(2)} \wedge {\mathsf {T}}^{(2)}_{[t_{L}, t_R]}]\), because in case \({\mathsf {T}}^{{\mathscr {D}}}_{[t_{L}, t_R]}\) occurs \({\mathscr {D}}\) simulates Game 2 perfectly for \({\mathscr {A}}\) in which the challenge bit for \({\mathscr {A}}\) is that for \({\mathscr {D}}\) (and thus \({\mathscr {D}}\) and \({\mathscr {A}}\) succeed with exactly the same probability). Furthermore, whenever \({\mathsf {T}}^{{\mathscr {D}}}_{[t_{L}, t_R]}\) does not occur, \({\mathscr {D}}\) outputs a random bit, which means that \(\Pr [{\mathsf {Succ}}^{{\mathscr {D}}} | \overline{{\mathsf {T}}^{{\mathscr {D}}}_{[t_{L}, t_R]}}] = \frac{1}{2}\). Therefore, \({\mathscr {D}}\)’s IND-CPA advantage can be estimated as:

$$\begin{aligned} \begin{aligned} Adv_{FTSE,{\mathscr {D}}}^{CPA}&= |\Pr [{\mathsf {Succ}}^{{\mathscr {D}}}] - \frac{1}{2}| = |\Pr [{\mathsf {Succ}}^{{\mathscr {D}}}\wedge {\mathsf {T}}^{{\mathscr {D}}}_{[t_{L},t_R]}]\\&\quad + \Pr [{\mathsf {Succ}}^{{\mathscr {D}}} | \overline{{\mathsf {T}}_{[t_{L},t_R]}^{{\mathscr {D}}}}] \cdot \Pr [\overline{{\mathsf {T}}^{{\mathscr {D}}}_{[t_{L}, t_R]}}] - \frac{1}{2}|\\&= |\Pr [{\mathsf {Succ}}^{(2)}\wedge {\mathsf {T}}_{[t_{L},t_R]}^{(2)}] + \frac{1}{2}\Pr [\overline{{\mathsf {T}}_{[t_{L},t_R]}^{(2)}}]\\&\quad \,\,-\, \frac{1}{2}| = Adv^{(2)}_{[t_{L}, t_R]}, \end{aligned} \end{aligned}$$

which completes the proof of Claim 3. \(\square \)

According to the Eq. (3) and Claims 1, 2, and 3, there exist efficient adversaries \({\mathscr {B}}\) and \({\mathscr {D}}\) such that

$$\begin{aligned} Adv_{[t_{L},t_R]}^{(1)} \le 2\cdot Adv_{PTSE,{\mathscr {B}}}^{CPA} + Adv_{FTSE,{\mathscr {D}}}^{CPA} \end{aligned}$$

(4)

However, since the building blocks (the FTSE scheme and the PTSE scheme) are both IND-CPA secure, the right-hand side of the above equation is negligible. The above works for any \([t_{L}, t_R] \in {\mathtt {Type}}_1\). This completes the proof of Lemma 1. \(\square \)

Proof of Lemma 2

Fix arbitrarily \([t_{L}, t_R] \in {\mathtt {Type}}_2\). Using \({\mathscr {A}}\) as a building block, we show that we can construct another IND-CPA adversary \({\mathscr {E}}\) against the building block PTSE scheme satisfying \(Adv_{PTSE,{\mathscr {E}}}^{CPA}= Adv_{[t_{L},t_R]}^{(1)}\), from which the lemma follows. \({\mathscr {E}}\) attacks the PTSE scheme in which the total number of time units is \(T'=|S_{v_{L}}|\). The description of \({\mathscr {E}}\) is as follows:

1. 1.

   \({\mathscr {E}}\) receives \(mpk'\) from the challenger, which is generated by \((mpk',msk') \leftarrow {\mathtt {PTSE}}.{\mathtt {Setup}}(1^k, T')\) where \(T' = |S_{v_{L}}|\), and generates the parameter MPK for \({\mathscr {A}}\) as follows:

   1. (a)

      \((mpk_v, msk_v) \leftarrow {\mathtt {PTSE}}.{\mathtt {Setup}}(1^k, |S_v|)\) for every \(v \in {\mathtt {LEFT}}\setminus \{v_{L}\}\).

   2. (b)

      \((mpk_v, msk_v) \leftarrow {\mathtt {FTSE}}.{\mathtt {Setup}}(1^k, |S_v|))\) for every \(v \in {\mathtt {RIGHT}}\).

   3. (c)

      \(mpk_{v_{L}}\leftarrow mpk'\), \(MPK \leftarrow \{mpk_v\}_{v \in {\mathtt {INT}}}\), and \(MSK \leftarrow \{msk_v\}_{v \in {\mathtt {INT}}\setminus \{v_{L}\}}\).

   4. (d)

      Give MPK to \({\mathscr {A}}\).

2. 2.

   When \({\mathscr {A}}\) makes a TIK extraction query \(t_i\), \({\mathscr {E}}\) responds as follows:

   1. (a)

      If \(t_i \in [t_{L},t_R]\), then give up the simulation and output a random bit.

   2. (b)

      \(sk^{(v)}_{\le t_i - \widetilde{\ell }_v} \leftarrow {\mathtt {PTSE}}.{\mathtt {Ext}}(msk_v, t_i- \widetilde{\ell }_v)\) for every \(v \in {\mathtt {LEFT}}\cap {\mathtt {NODES}}(t_i)\setminus \{v_{L}\}\).

   3. (c)

      If \(v_{L} \in {\mathtt {NODES}}(t_i)\) then submit a TIK extraction query \(t_i - \widetilde{\ell }_{v_{L}}\) (of the PTSE) to \({\mathscr {E}}\)’s challenger, receive \(sk_{\le {t_i}-\widetilde{\ell }_{v_{L}}}\) as a response, and use it as \(sk^{(v_{L})}_{\le t_i - \widetilde{\ell }_{v_{L}}}\).

   4. (d)

      \(sk^{(v)}_{\ge t_i - \widetilde{\ell }_v} \leftarrow {\mathtt {FTSE}}.{\mathtt {Ext}}(msk_v, t_i-\widetilde{\ell }_v)\) for every \(v \in {\mathtt {RIGHT}}\cap {\mathtt {NODES}}(t_i)\).

   5. (e)

      \(SK_{t_i, L} \leftarrow \{sk^{(v)}_{\le t_i - \widetilde{\ell }_v}\}_{v \in {\mathtt {LEFT}}\cap {\mathtt {NODES}}(t_i)}\) and \(SK_{t_i, R} \leftarrow \{sk^{(v)}_{\ge t_i - \widetilde{\ell }_v}\}_{v \in {\mathtt {RIGHT}}\cap {\mathtt {NODES}}(t_i)}\).

   6. (f)

      Return \(SK_{t_i} \leftarrow (t_i, SK_{t_i, L}, SK_{t_i, R})\) to \({\mathscr {A}}\).

3. 3.

   When \({\mathscr {A}}\) submits the challenge \((m_0,m_1,[t_{L}^*,t_{R}^*])\), \({\mathscr {E}}\) responds as follows:

   1. (a)

      If \([t_{L}^*,t_{R}^*] \not = [t_{L},t_{R}]\), then give up the simulation and output a random bit.

   2. (b)

      Submit (\(m_0,m_1,t_{L}^* - \widetilde{\ell }_{v_R}\)) to \({\mathscr {E}}\)’s challenger, and receive the challenge ciphertext \(c_{L}^*\).

   3. (c)

      \(c_{R}^* \leftarrow \emptyset \)

   4. (d)

      Give \(C^* \leftarrow ([t_{L}^*,t_{R}^*],c_{L}^*,c_{R}^*)\) to \({\mathscr {A}}\) as \({\mathscr {A}}\)’s challenge ciphertext.

4. 4.

   \({\mathscr {E}}\) responds to \({\mathscr {A}}\)’s extraction queries in exactly the same way as above.

5. 5.

   When \({\mathscr {A}}\) terminates with output \(b'\), \({\mathscr {E}}\) outputs this \(b'\) as its guess for the challenge bit and terminates.

The above completes the description of \({\mathscr {E}}\). \(\square \)

Let \({\mathsf {Succ}}^{{\mathscr {E}}}\) be the event that \({\mathscr {E}}\) succeeds in guessing \({\mathscr {E}}\)’s challenge bit, and \({\mathsf {T}}^{{\mathscr {E}}}_{[t_{L}, t_R]}\) be the event that in \({\mathscr {E}}\)’s IND-CPA game (regarding the PTSE scheme), it holds that \([t^*_{L}, t^*_R] = [t_{L}, t_R]\) (i.e., \({\mathscr {A}}\) uses \([t_{L}, t_R]\) as the challenge DTI). Then, it is not hard to see that \(\Pr [{\mathsf {T}}^{{\mathscr {E}}}_{[t_{L}, t_R]}] = \Pr [{\mathsf {T}}^{(1)}_{[t_{L}, t_R]}]\) and \(\Pr [{\mathsf {Succ}}^{{\mathscr {E}}} \wedge {\mathsf {T}}^{{\mathscr {E}}}_{[t_{L}, t_R]}] = \Pr [{\mathsf {Succ}}^{(1)} \wedge {\mathsf {T}}^{(1)}_{[t_{L}, t_R]}]\), because in case \({\mathsf {T}}^{{\mathscr {E}}}_{[t_{L}, t_R]}\) occurs \({\mathscr {E}}\) simulates Game 1 perfectly for \({\mathscr {A}}\) in which the challenge bit for \({\mathscr {A}}\) is that for \({\mathscr {E}}\) (and thus \({\mathscr {E}}\) and \({\mathscr {A}}\) succeed with exactly the same probability). Furthermore, whenever \({\mathsf {T}}^{{\mathscr {E}}}_{[t_{L}, t_R]}\) does not occur, \({\mathscr {E}}\) outputs a random bit, which means that \(\Pr [{\mathsf {Succ}}^{{\mathscr {E}}} | \overline{{\mathsf {T}}^{{\mathscr {E}}}_{[t_{L}, t_R]}}] = \frac{1}{2}\). Therefore, \({\mathscr {E}}\)’s IND-CPA advantage can be estimated as:

$$\begin{aligned} \begin{aligned}&Adv_{PTSE,{\mathscr {E}}}^{CPA} = |\Pr [{\mathsf {Succ}}^{{\mathscr {E}}}] - \frac{1}{2}|\\&\quad = |\Pr [{\mathsf {Succ}}^{{\mathscr {E}}}\wedge {\mathsf {T}}^{{\mathscr {E}}}_{[t_{L},t_R]}] \!+\! \Pr [{\mathsf {Succ}}^{{\mathscr {E}}} | \overline{{\mathsf {T}}_{[t_{L},t_R]}^{{\mathscr {E}}}}] \cdot \Pr [\overline{{\mathsf {T}}^{{\mathscr {E}}}_{[t_{L}, t_R]}}] \!- \frac{1}{2}|\\&\quad = |\Pr [{\mathsf {Succ}}^{(1)}\wedge {\mathsf {T}}_{[t_{L},t_R]}^{(1)}] + \frac{1}{2}\Pr [\overline{\mathsf {T}_{[t_{L},t_R]}^{(1)}}] - \frac{1}{2}| = Adv^{(1)}_{[t_{L}, t_R]} \end{aligned} \end{aligned}$$

which means that if \(Adv^{(1)}_{[t_{L}, t_R]}\) is non-negligible, so is \(Adv^{CPA}_{PTSE,{\mathscr {E}}}\). Since it contradicts the IND-CPA security of the building block PTSE scheme, it follows that \(Adv_{[t_{L}, t_R]}^{(1)}\) is negligible. Recall that the choice of \([t_{L}, t_R]\) was arbitrarily, and thus the above works for any \([t_{L}, t_R] \in {\mathtt {Type}}_2\). This completes the proof of Lemma 2. \(\square \)

The proof of Lemma 3 is omitted because the proof is essentially the same as the proof of Claim 3, and is symmetrical to the proof of Lemma 2. Namely, for every \([t_{L}, t_R] \in {\mathtt {Type}}_3\), we can construct an efficient IND-CPA adversary \({\mathscr {F}}\) regarding the FTSE scheme such that \(Adv^{CPA}_{FTSE,{\mathscr {F}}} = Adv^{(1)}_{[t_{L}, t_R]}\), which means that \(Adv^{(1)}_{[t_{L}, t_R]}\) is negligible for any \([t_{L}, t_R] \in {\mathtt {Type}}_3\). (The only difference between the adversary \({\mathscr {F}}\) and the adversary \({\mathscr {D}}\) described in the proof of Claim 1 is that \({\mathscr {F}}\) sets \(c^*_{F} \leftarrow \emptyset \) when computing the challenge ciphertext for \({\mathscr {A}}\).)

We also omit the proof of Lemma 4 because it can be proved in essentially the same way as Lemma 2.

Lemmas 1 to 4 imply that the left hand side of the Eq. (1) is upperbounded to be negligible, which means that \({\mathscr {A}}\)’s IND-CPA advantage is negligible. Recall that the above proof works for any efficient IND-CPA adversary against our proposed TSE scheme. This completes the proof of Theorem 3. \(\square \)

Appendix 4: Toy example of our generic construction

In order to better understand our generic construction in Sect. 4.2, here we describe a toy example of our generic construction in which \(T = 2^{3}\). See also Fig. 5 for the illustration that represents the “directions” (or, “realms” in other words) that the secret keys from the underlying FTSE and PTSE schemes can cover. Note that in this example, \({\mathtt {LEFT}}= \{0,2,4,6\}\), and \({\mathtt {RIGHT}}= \{1,3,5,7\}\).

• \({\mathtt {TSE}}.{\mathtt {Setup}}(1^k, T)\): Run the setup algorithms of the underlying FTSE and PTSE schemes as follows:

  \((mpk_0, msk_0) \leftarrow {\mathtt {PTSE}}.{\mathtt {Setup}}(1^k, 8)\)

  \((mpk_1, msk_1) \leftarrow {\mathtt {FTSE}}.{\mathtt {Setup}}(1^k, 7)\)

  \((mpk_2, msk_2) \leftarrow {\mathtt {PTSE}}.{\mathtt {Setup}}(1^k, 3)\)

  \((mpk_3, msk_3) \leftarrow {\mathtt {FTSE}}.{\mathtt {Setup}}(1^k, 3)\)

  \((mpk_4, msk_4) \leftarrow {\mathtt {PTSE}}.{\mathtt {Setup}}(1^k, 1)\)

  \((mpk_5, msk_5) \leftarrow {\mathtt {FTSE}}.{\mathtt {Setup}}(1^k, 1)\)

  \((mpk_6, msk_6) \leftarrow {\mathtt {PTSE}}.{\mathtt {Setup}}(1^k, 1)\)

  \((mpk_7, msk_7) \leftarrow {\mathtt {FTSE}}.{\mathtt {Setup}}(1^k, 1)\)

  \(MPK \leftarrow (mpk_0,mpk_1,\dots ,mpk_7)\)

  \(MSK \leftarrow (msk_0,msk_1, \dots , msk_7)\)

  Return (MPK, MSK).

• \({\mathtt {TSE}}.{\mathtt {Ext}}(msk, t)\): The algorithm sets the TIK \(SK_{t}\) corresponding to the column of the time t in Fig. 5 to the secret keys of FTSE and PTSE. For example,

  1. –

     \(SK_{0}=(0, SK_{0,L}, SK_{0,R})\) where \(SK_{0,L} = sk^{(0)}_{\le 0}\) and \(SK_{0,R} = sk^{(1)}_{\ge 0}\).

  2. –

     \(SK_{1}=(1, SK_{1,L}, SK_{1,R})\) where \(SK_{1,L}= (sk^{(0)}_{\le 1}, sk^{(2)}_{\le 0},sk^{(4)}_{\le 0})\), and \(SK_{1,R} = sk^{(1)}_{\ge 1}\).

  3. –

     \(SK_{4}=(4, SK_{4,L}, SK_{4,R})\) where \(SK_{4,L}= sk^{(0)}_{\le 4}\) and \(SK_{4,R} =(sk^{(1)}_{\ge 4},sk^{(3)}_{\ge 0})\)

  Note that \({\mathtt {NODES}}(0) = \{0,1\}\), \({\mathtt {NODES}}(1) = \{0,1,2,4\}\), and \({\mathtt {NODES}}(4) = \{0,1,3\}\).

• \({\mathtt {TSE}}.{\mathtt {Enc}}(mpk, [t_{L}, t_R], M)\): We exemplify the cases in which \([t_L, t_R] = [4,7]\), [4, 5], and [2, 6] in the following:

  1. –

     \(C=([4,7],c_{L},c_R)\), where \(c_{L} \leftarrow {\mathtt {PTSE}}.{\mathtt {Enc}}(mpk_{0}, 4, M)\) and \(c_R \leftarrow \emptyset \). Note that \(v_L = \min \{v \in {\mathtt {LEFT}}: \widetilde{r}_v \in [4,7]\} = 0\) and thus \({\mathsf {depth}}(v_L) = 0\), while \(v_R = \min \{v \in {\mathtt {RIGHT}}: \widetilde{\ell }_v \in [4,7]\} = 3\) and thus \({\mathsf {depth}}(v_R) = 1\).

  2. –

     \(C=([4,5],c_{L},c_R)\), where \(c_{L} \leftarrow \emptyset \) and \(c_R \leftarrow {\mathtt {FTSE}}.{\mathtt {Enc}}(mpk_{3}, 1, M)\). Note that \(v_L = \min \{v \in {\mathtt {LEFT}}: \widetilde{r}_v \in [4,5]\} = 6\) and thus \({\mathsf {depth}}(v_L) = 2\), while \(v_R = \min \{v \in {\mathtt {RIGHT}}: \widetilde{\ell }_v \in [4,5]\} = 3\) and thus \({\mathsf {depth}}(v_R) = 1\).

  3. –

     \(C=([2,6],c_{L},c_{R})\), where \(c_{L} \leftarrow {\mathtt {PTSE}}.{\mathtt {Enc}}(mpk_{2}, 1, M)\) and \(c_R\) \(\leftarrow \) \({\mathtt {FTSE}}.{\mathtt {Enc}}(mpk_{3},2, M)\). Note that, \(v_L = \min \{v \in {\mathtt {LEFT}}: \widetilde{r}_v \in [2,6]\} = 2\) and thus \({\mathsf {depth}}(v_L) = 1\), while \(v_R = \min \{v \in {\mathtt {RIGHT}}: \widetilde{\ell }_v \in [2,6]\} = 3\) and thus \({\mathsf {depth}}(v_R) = 1\).

• \({\mathtt {TSE}}.{\mathtt {Dec}}(SK_t, C)\): Using \(SK_4 = (4, SK_{4,L}, SK_{4,R})\), we can decrypt the above (correctly generated) ciphertexts:

  1. –

     If DTI is [4, 7], run \(M \leftarrow {\mathtt {FTSE}}.{\mathtt {Dec}}(sk^{(0)}_{\le 4}, c_L)\). Note that in this case, \(\min ({\mathtt {NODES}}(4) \cap \{v_L, v_R\}) = 0 \in {\mathtt {LEFT}}\).

  2. –

     If DTI is [4, 5] or [2, 6], run \(M \leftarrow {\mathtt {PTSE}}.{\mathtt {Dec}}(sk^{(3)}_{\ge 0}, c_R)\). Note that in both cases, \(\min ({\mathtt {NODES}}(4) \cap \{v_L, v_R\}) = 3 \in {\mathtt {RIGHT}}\).