A Framework for IdentityBased Encryption with Almost Tight Security
Abstract

We obtain (almost) tightly secure IBE in the multichallenge, multiinstance setting, both in composite and primeorder groups. The latter resolves the open problem posed by Hofheinz et al. (PKC 2015).

We obtain the first (almost) tightly secure IBE with sublinear size public parameters (master public keys). In particular, we can set the size of the public parameters to constant at the cost of longer ciphertexts and private keys. This gives a partial solution to the open problem posed by Chen and Wee (Crypto 2013).
By applying (a variant of) the CanettiHaleviKatz transformation to our schemes, we obtain several CCAsecure PKE schemes with tight security in the multichallenge, multiinstance setting. One of our schemes achieves very small ciphertext overhead, consisting of less than 12 group elements. This significantly improves the stateoftheart construction by Libert et al. (in ePrint Archive) which requires 47 group elements. Furthermore, by modifying one of our IBE schemes obtained above, we can make it anonymous. This gives the first anonymous IBE whose security is almost tightly shown in the multichallenge setting.
Keywords
Tight security reduction Identitybased encryption Multichallenge security Chosen ciphertext security1 Introduction
1.1 Backgrounds
In the context of provable security, we reduce the security of a given scheme to the hardness of a computational problem, in order to gain confidence in the security of the scheme. Namely, we assume an adversary \(\mathcal {A}\) who breaks the scheme and then show another adversary \(\mathcal {B}\) who solves the (assumed) hard problem using \(\mathcal {A}\). Such a reduction should be as tight as possible, in the sense that \(\mathcal {B}\)’s success probability is as large as \(\mathcal {A}\). In this paper, we mostly focus on the tight security reduction in identitybased encryption (IBE) [47].
IBE is an advanced form of public key encryption in which one can encrypt a message for a user identity, rather than a public key. The first fully secure (or often called, adaptively secure) construction in the standard model was given in [11]. Later, further developments were made [8, 29, 48, 49]. All the above mentioned papers only deal with the singlechallenge, singleinstance case. Since it is known that the security in the (much more realistic) multichallenge and multiinstance setting can be reduced to the security in the singlechallenge and singleinstance setting [7], these schemes are secure in the former setting in asymptotic sense. However, this reduction incurs \(O(\mu Q_c)\) security loss, where \(Q_c\) is the number of challenge queries made by the adversary and \(\mu \) is the number of instances. Since all the above schemes already loose at least \(O(Q_k)\) security in the reductions, where \(Q_k\) is the number of key extraction queries made by \(\mathcal {A}\), theses schemes loose at least \(O(\mu Q_c Q_k)\) security in total.

Can we construct a fully, (almost) tightly secure IBE scheme in the multichallenge and multiinstance setting from a static assumption in the primeorder groups?

Can we construct a fully, (almost) tightly secure IBE scheme from a static assumption with constantsize public parameters even in the singlechallenge and singleinstance setting?
1.2 Our Results

We obtain the first IBE scheme in primeorder groups with almost tight security in the multichallenge and multiinstance setting. The security of our scheme can be shown under the decisional linear (DLIN) assumption. This resolves the first question above.

We obtain the first IBE scheme with almost tight security in the multichallenge and multiinstance setting and with sublinear public parametersize (but at the cost of larger private key and ciphertext size). An IBE scheme with almost tight security and sublinear public parameter size is not known, even in the singlechallenge setting. This partially answers the second question above.
Extension to Anonymous IBE. Furthermore, by modifying one of the new IBE schemes obtained above, we obtain the first anonymous IBE scheme with (almost) tight security reduction in the multichallenge settings for the first time. The security proof is done by carefully combining informationtheoretic argument due to Chen et al. [16] and a computational argument.
Comparison of almost tight IBE from static assumptions
Schemes  \(\mathsf {pp}+\mathsf {mpk}\)  \(\mathsf {CT}\)  \(\mathsf {sk}_\mathsf {ID}\)  Anon?  Multichallenge?  Underlying group  Security assumption 

CW13 [17]  \(O(\kappa )\)  O(1)  O(1)  No  No  Composite  SGD, CW 
HKS15 [31]  \(O(\kappa )\)  O(1)  O(1)  No  Yes  Composite  SGD, HKS 
Ours: \(\mathsf {\Phi }_\mathsf {cc}^\mathsf {comp}\)  \(O(\kappa )\)  O(1)  O(1)  No  Yes  Composite  SGD, Problem 5 
Ours: \(\mathsf {\Phi }^\mathsf {comp}_\mathsf {slp}\)  \(O(\kappa ^{1c})\)  \(O(\kappa ^{c})\)  \(O(\kappa ^{c})\)  No  Yes  Composite  SGD, DLIN 
CW13 [17]\(^\dagger \)  \(O(\kappa )\)  O(1)  O(1)  No  No  Prime  DLIN 
BKP14 [9]\(^* {}^\dagger \)  \(O(\kappa )\)  O(1)  O(1)  Yes  No  Prime  DLIN 
Ours: \(\mathsf {\Phi }^\mathsf {prime}_{\mathsf {cc}}\)  \(O(\kappa )\)  O(1)  O(1)  No  Yes  Prime  DLIN 
Ours: \(\mathsf {\Phi }^\mathsf {prime}_{\mathsf {slp}}\)  \(O(\kappa ^{1c})\)  \(O(\kappa ^{c})\)  \(O(\kappa ^{c})\)  No  Yes  Prime  DLIN 
Ours: \(\mathsf {\Phi }_{\mathsf {anon}}\)  \(O(\kappa )\)  O(1)  O(1)  Yes  Yes  Prime  DLIN 
1.3 Our Techniques
Difficulties. To solve the first question above, a natural starting point would be trying to apply the frameworks for compositeordertoprimeorderconversion dedicated to identity/attributebased encryption [2, 3, 16, 18, 35] to the HKS scheme [31]. However, security proofs for CW and HKS schemes significantly deviate from the most standard form of dual system encryption methodology [4, 37, 39, 50], only for which the above mentioned frameworks can be applied. Another approach is to try to convert specific assumptions they use into primeorder. In fact, Chen and Wee [17] were able to accomplish such a conversion for their scheme. However, their technique is nongeneric and therefore it is highly unclear whether the same argument is possible for the assumptions that HKS use.
Next, we explain the difficulty of the second question. The reason why all IBE schemes featuring (almost) tight security reduction in previous works [9, 17, 31] require large public parameters is that they use (randomized version of) NaorReingold PRF [40] in their construction. Note that the NaorReingold PRF requires seed length which is linear in the input size, which in turn implies rather long public parameters in the IBE schemes. A natural approach to improve the efficiency would be, as noted by Chen and Wee [17, 19], to reduce the seed length of the NaorReingold PRF. However, this is a longstanding open problem and turns out to be quite difficult.
Our Strategy. In this paper, we introduce new proof techniques for IBE schemes (with almost tight security) that rely only on the subgroup decision assumptions^{1} This allows us to use frameworks for compositeordertoprimeorder conversions in the literature [2, 3, 16, 22, 23, 26, 35, 42] (to name only a few) which converts subgroup decision assumption into a static assumption in primeorder groups, such as the DLIN assumption. Therefore, using these techniques, we are able to convert a variant of HKS scheme into primeorder. This answers the first question above. Note that in the security proof of HKS (and CW), they rely on some specific assumptions in compositeorder groups in addition to subgroup decision assumptions. Because of these, it is unclear how to convert HKS scheme into primeorder.
As for the second question, we view Chen and Wee’s scheme as being constructed from, somewhat surprisingly, broadcast encryption mechanism, instead of (NaorReingold) PRF, and hence can avoid the above difficulty regarding PRF. More precisely, we show that the task of constructing almost tightly secure IBE scheme is essentially reduced to a construction of broadcast encryption, and based on this idea, we are able to obtain the first IBE scheme with sublinear size public parameters and almost tight security. In the following, we explain our technique.
Overview of Our Framework. We refine the idea above and combine it with the technique by HKS to propose our framework for constructing IBE schemes that are (almost) tightly secure in the multichallenge and multiinstance setting, in both composite and primeorder groups. We first define a broadcast encoding, which is an abstraction of broadcast encryption. The syntax of it is a special case of “pair encoding” in [4] (also similar to “predicate encoding” in [50]). Then, we define perfect masterkey hiding (PMH) security and computationalmasterkey hiding (CMH) security for it. These security notions are also similar to those of [4, 50]. The former is statistical requirement for the encoding, and the latter is computational requirement. We can easily show that the former implies the latter. Then, we also introduce intermediate notion multimasterkey hiding (MMH) security for the encoding. This is more complex notion compared to the PMH and CMHsecurity, but implied by these, thanks to our boosting technique above. Then, we show that broadcast encoding satisfying the MMH security requirement can be converted into IBE scheme. All these reductions are (almost) tightnesspreserving, namely, if the original broadcast encoding is tightly PMH/CMH secure, the resulting IBE scheme is also tightly secure in the multichallenge and multiinstance setting. Finally, we provide broadcast encoding schemes that satisfy our requirement. One is implicit in GentryWaters broadcast encryption scheme [25] and the other is completely new. By instantiating our general framework with the latter construction, we obtain IBE scheme with almost tight security and with sublinear master public key size.
1.4 Related Works
Related Works on IBE. The first realizations of IBE in the random oracle model were given in [13, 20, 45]. Later, realization in the standard model [10, 14] were given. In the random oracle model, it is possible to obtain efficient and tightly secure IBE scheme [5]. Gentry [24] proposed a tightly secure anonymous IBE scheme under a nonstatic, parametrized assumption. Chen and Wee proposed the first almost tightly secure IBE scheme under static and simple assumptions [17, 19]. Attrapadung [4] proposed an IBE scheme whose security loss only depends on the number of key queries before the challenge phase. Jutla and Roy [32] constructed very efficient IBE scheme from the SXDH assumption, based on a technique related to NIZK. Blazy, Kiltz, and Pan [9] further generalized the idea and show that a message authentication code with a certain specific algebraic structure implies (H)IBE. They further obtained almost tightly secure anonymous IBE and (nonanonymous) HIBE via the framework. Note that all above mentioned schemes only focus on the singlechallenge setting.
Related Works on the MultiChallenge CCASecure PKE. Bellare, Boldyreva, and Micali [7] gave a tight reduction for the CramerShoup encryption [21] in the multiinstance (multiuser) and the singlechallenge setting. They posed an important open question of whether it is possible to construct tightly CCAsecure PKE scheme in the multiinstance and the multichallenge setting. The first PKE scheme satisfying the requirement was proposed by Hofheinz and Jager [30]. Their scheme requires hundreds of group elements in the ciphertexts. Subsequently, Abe et al. [1] reduced the size by improving the efficiency of the underlying onetime signature. Libert et al. [33] greatly reduced the ciphertext and made it constantsize for the first time. The ciphertext overhead of their scheme consist of 68 group elements. Very recently, Libert et al. [34] further reduced it to 47 group elements. Concurrently and independently to us, Hofheinz [27] proposes the first PKE scheme with the same security guarantee and fully compact parameters, which means all parameters are constantsize. While the ciphertextsize (which consists of 60 group elements) is longer than construction in [34], it achieves much shorter public parameters. We note that while the technique is very powerful, it is unclear how to extend it to the IBE setting.
Due to space limitations, many definitions and proofs are omitted from this version. These can be found in the full version of the paper [6].
2 Preliminaries
Notation. Vectors will be treated as either row or column vector matrices. When unspecified, we shall let it be a row vector. We denote by \(\mathbf {e}_i\) the ith unit (row) vector: its ith component is one, all others are zero. \(\mathbf {0}\) denotes the zero vector or zero matrix. For an integer \(n\in \mathbb {N}\) and a field \(\mathbb {F}\), \(\mathbb {GL}_{n}(\mathbb {F})\) denotes the set of all invertible matrix in \(\mathbb {F}^{n\times n}\). For a multiplicative group \(\mathbb {G}\), we denote by \(\mathbb {G}^*\) a set of all generators in \(\mathbb {G}\). We also denote by [a, b] a set \(\{a,\ldots , b\}\) for any integer a and b and \([n]=[1,n]\) for any \(n\in \mathbb {N}\). We denote by \(u \overset{_\$}{\leftarrow } U\) the fact that u is picked uniformly at random from a finite set U.
2.1 IdentityBased Encryption
In this section, we define the syntax and security of IBE (in the multichallenge, multiinstance setting).

\(\mathsf {Par}(1^\kappa )\rightarrow (\mathsf {pp}, \mathsf {sp}) \): The parameter sampling algorithm takes as input a security parameter \(1^\kappa \) and outputs a public parameter \(\mathsf {pp}\) and a secret parameter \(\mathsf {sp}\).

\(\mathsf {Gen}(\mathsf {pp},\mathsf {sp})\rightarrow (\mathsf {mpk},\mathsf {msk}) \): The key generation algorithm takes \(\mathsf {pp}\) and \(\mathsf {sp}\) as input and outputs a master public key \(\mathsf {mpk}\) and master secret key \(\mathsf {msk}\).

\(\mathsf {Ext}(\mathsf {msk},\mathsf {mpk}, \mathsf {ID})\rightarrow \mathsf {sk}_\mathsf {ID}\): The user private key extraction algorithm takes as input the master secret key \(\mathsf {msk}\), the master public key \(\mathsf {mpk}\), and an identity \(\mathsf {ID}\in \mathcal {ID}\). It outputs a private key \(\mathsf {sk}_\mathsf {ID}\).

\(\mathsf {Enc}(\mathsf {mpk}, \mathsf {ID}, \mathsf {M})\rightarrow \mathsf {CT}\): The encryption algorithm takes as input a master public key \(\mathsf {mpk}\), an identity \(\mathsf {ID}\), and a message \(\mathsf {M}\in \mathcal {M}\). It will output a ciphertext \(\mathsf {CT}\).

\(\mathsf {Dec}(\mathsf {sk}_\mathsf {ID},\mathsf {CT})\rightarrow \mathsf {M}\): The decryption algorithm takes as input a private key \(\mathsf {sk}_{\mathsf {ID}}\) and a ciphertext \(\mathsf {CT}\). It outputs a message \(\mathsf {M}\) or \(\bot \) which indicates that the ciphertext is not in a valid form.
We refer (standard) notion of correctness of IBE to [6].
In our constructions, we will set identity space \(\mathcal {ID}= \{ 0,1 \}^\ell \) for some \(\ell \in \mathbb {N}\). Note that the restriction on the identity space can be easily removed by applying a collision resistant hash function \(\mathsf {CRH}: \{0,1\}^* \rightarrow \{0,1\}^\ell \) to an identity. Typically, we would set \(\ell = {\varTheta }(\kappa )\) to avoid the birthday attack.
Security Model. We now define \((\mu , Q_c, Q_k )\)security for an IBE \(\mathsf {\Phi }=(\mathsf {Par}, \mathsf {Gen}, \mathsf {Ext},\mathsf {Enc}, \mathsf {Dec})\). This security notion is defined by the following game between a challenger and an attacker \(\mathcal{A}\).
Setup. The challenger runs \((\mathsf {pp},\mathsf {sp}) \overset{_\$}{\leftarrow } \mathsf {Par}(1^\kappa ) \) and \((\mathsf {mpk}^{(j)},\mathsf {msk}^{(j)}) \overset{_\$}{\leftarrow } \mathsf {Gen}(\mathsf {pp}, \mathsf {sp})\) for \(j\in [\mu ]\). The challenger also picks random coin \(\textsf {coin}\overset{_\$}{\leftarrow } \{ 0,1 \}\) whose value is fixed throughout the game. Then, \((\mathsf {pp}, \{ \mathsf {mpk}^{(j)} \}_{j\in [\mu ]} )\) is given to \(\mathcal{A}\).
In the following, \(\mathcal {A}\) adaptively makes the following two types of queries in an arbitrary order.

–Key Extraction Query. The adversary \(\mathcal {A}\) submits \((\texttt {Extraction},j\in [\mu ], \mathsf {ID}\in \mathcal {ID})\) to the challenger. Then, the challenge runs \( \mathsf {sk}^{(j)}_{\mathsf {ID}}\overset{_\$}{\leftarrow } \mathsf {Ext}(\mathsf {msk}^{(j)}, \mathsf {mpk}^{(j)}, \mathsf {ID})\) and returns \(\mathsf {sk}^{(j)}_{\mathsf {ID}}\) to \(\mathcal {A}\).

–Challenge Query. The adversary \(\mathcal {A}\) submits \((\texttt {Challenge},j\in [\mu ],\mathsf {ID}\in \mathcal {ID}, \mathsf {M}_0, \mathsf {M}_1 \in \mathcal {M})\) to the challenger. Then, the challenger runs \(\mathsf {CT}\overset{_\$}{\leftarrow } \mathsf {Enc}(\mathsf {mpk}^{(j)},\mathsf {ID}, \mathsf {M}_{\textsf {coin}} )\) and returns \(\mathsf {CT}\) to \(\mathcal {A}\).
We say that the adversary \(\mathcal {A}\) is valid if and only if \(\mathcal {A}\) never queries \((\texttt {Extraction}, j,\mathsf {ID})\) such that it has already queried \((\texttt {Challenge}, j, \mathsf {ID}, \mathsf {M}_0, \mathsf {M}_1 )\) for the same \((j,\mathsf {ID})\) (and vice versa); \(\mathcal {A}\) has made at most \(Q_c\) challenge queries; and \(\mathcal {A}\) has made at most \(Q_k\) key extraction queries.
Definition 1
We say that IBE \(\mathsf {\Phi }\) is secure if \(\mathsf {Adv}^{\mathsf {IBE}}_{\mathcal {A},\mathsf {\Phi },(\mu , Q_c, Q_k)}(\kappa )\) is negligible for any polynomially bounded \(\mu \), \(Q_c\), \(Q_k\), and any valid PPT adversary \(\mathcal {A}\).
Anonymity. We also consider anonymity for the IBE scheme. To define \((\mu , Q_c, Q_k )\)anonymity for an IBE scheme, we change the form of challenge queries in the above game as follows.

\(\)Challenge Query. The adversary \(\mathcal {A}\) submits \((\texttt {Challenge},j\in [\mu ],\mathsf {ID}_0, \mathsf {ID}_1 \in \mathcal {ID}, \mathsf {M}_0, \mathsf {M}_1 \in \mathcal {M})\) to the challenger. Then, the challenger runs \(\mathsf {CT}\overset{_\$}{\leftarrow } \mathsf {Enc}(\mathsf {mpk}^{(j)},\mathsf {ID}_{\textsf {coin}}, \mathsf {M}_{\textsf {coin}} )\) and returns \(\mathsf {CT}\) to \(\mathcal {A}\).
We say that the adversary \(\mathcal {A}\) is valid if \(\mathcal {A}\) never queries \((\texttt {Extraction}, j, \mathsf {ID})\) such that it has already queried \((\texttt {Challenge}, j, \mathsf {ID}_0, \mathsf {ID}_1, \mathsf {M}_0, \mathsf {M}_1 )\) for the same j and \(\mathsf {ID}\in \{ \mathsf {ID}_0, \mathsf {ID}_1 \}\) (and vice versa); \(\mathcal {A}\) has made at most \(Q_c\) challenge queries; and \(\mathcal {A}\) has made at most \(Q_k\) key extraction queries. We define the advantage of \(\mathcal {A}\) in this modified game as \(\mathsf {Adv}^{\mathsf {AIBE}}_{\mathcal {A},\mathsf {\Phi },(\mu , Q_c, Q_k)}(\kappa ):= \Pr [\textsf {coin}'=\textsf {coin}]\frac{1}{2} \).
Definition 2
We say that IBE \(\mathsf {\Phi }\) is anonymous if \(\mathsf {Adv}^{\mathsf {AIBE}}_{\mathcal {A},\mathsf {\Phi },(\mu , Q_c, Q_k)}(\kappa )\) is negligible for any polynomially bounded \(\mu \), \(Q_c\), \(Q_k\), and any valid PPT adversary \(\mathcal {A}\).
2.2 CompositeOrder Bilinear Groups
We will use bilinear group \((\mathbb {G},\mathbb {G}_T)\) of composite order \(N=p_1p_2p_3 p_4\), where \(p_1\), \(p_2\), \(p_3\), \(p_4\) are four distinct prime numbers, with efficiently computable and nondegenerate bilinear map \(e(\cdot ):\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\). For each dN, \(\mathbb {G}\) has unique subgroup of order d denoted by \(\mathbb {G}_d\). We let \(g_i\) be a generator of \(\mathbb {G}_{p_i}\). For our purpose, we define a (composite order) bilinear group generator \(\mathcal {G}_{\mathsf {comp}}\) that takes as input a security parameter \(1^\kappa \) and outputs \((N,\mathbb {G},\mathbb {G}_T, g_1,g_2, g_3, g_4, e(\cdot ) )\). Any \(h\in \mathbb {G}\) can be expressed as \(h=g_1^{a_1}g_2^{a_2}g_3^{a_3}g_4^{a_4}\), where \(a_i\) is uniquely determined modulo \(p_i\). We call \(g_i^{a_i}\) the \(\mathbb {G}_{p_i}\) component of h. We have that \(e(g^a,h^b)=e(g,h)^{ab}\) for any \(g,h\in \mathbb {G}\), \(a,b\in \mathbb {Z}\) and \(e(g,g)=1_{\mathbb {G}_T}\) for \(g\in \mathbb {G}_{p_i}\) and \(h\in \mathbb {G}_{p_j}\) with \(i\ne j\).
Problem 1
\(D=\emptyset \), \(T_0 \overset{_\$}{\leftarrow } \mathbb {G}^*_{p_1}\), and \(T_1 \overset{_\$}{\leftarrow } \mathbb {G}^*_{p_1 p_2}\).
Problem 2
\(D=(g_{12}, g_3, g_{24})\), \(T_0 \overset{_\$}{\leftarrow } \mathbb {G}^*_{p_1p_4}\), and \(T_1 \overset{_\$}{\leftarrow } \mathbb {G}^*_{p_1 p_2 p_4}\).
Problem 3
\(D=(g_{13}, g_2, g_{34})\), \(T_0 \overset{_\$}{\leftarrow } \mathbb {G}^*_{p_1p_4}\), and \(T_1 \overset{_\$}{\leftarrow } \mathbb {G}^*_{p_1 p_3 p_4}\).
Problem 4
\(D=(g_{12}, g_{23})\), \(T_0 \overset{_\$}{\leftarrow } \mathbb {G}^*_{p_1p_2}\), and \(T_1 \overset{_\$}{\leftarrow } \mathbb {G}^*_{p_1 p_3}\).
Problem 5
\(D=(g_{2}, g_3, g_2^x, g_2^y, g_2^z)\), \(T_0 = e(g_2, g_2)^{xyz}\), and \(T_1 = e(g_2, g_2)^{xyz + \gamma }\), where \(x,y,z \overset{_\$}{\leftarrow } \mathbb {Z}_N\) and \(\gamma \overset{_\$}{\leftarrow } \mathbb {Z}_N^*\).
Problems 1, 2, 3, and 4 are called subgroup decision problems. Problem 5 is called the decisional bilinear DiffieHellman problem.
MatrixintheExponent. Given any vector \(\mathbf {w}=(w_1,\ldots ,w_n) \in \mathbb {Z}_N^n\) and a group element g, we write \(g^{\mathbf {w}}\in \mathbb {G}^n\) to denote \((g^{w_1},\ldots ,g^{w_n}) \in \mathbb {G}^{n}\): we define \(g^\mathbf {A}\) for a matrix \(\mathbf {A}\) in a similar way. \(g^{\mathbf {A}}\cdot g^{\mathbf {B}}\) denotes componentwise product: \(g^{\mathbf {A}}\cdot g^{\mathbf {B}}=g^{\mathbf {A}+\mathbf {B}}\). Note that given \(g^\mathbf {A}\) and a matrix \(\mathbf {B}\) of “exponents”, one can efficiently compute \(g^{\mathbf {B}\mathbf {A}}\) and \(g^{\mathbf {A}\mathbf {B}}=(g^\mathbf {A})^\mathbf {B}\). Furthermore, if there is an efficiently computable map \(e:\mathbb {G}\times \mathbb {G}\rightarrow \mathbb {G}_T\), then given \(g^\mathbf {A}\) and \(g^\mathbf {B}\), one can efficiently compute \(e(g,g)^{\mathbf {A}^\top \mathbf {B}}\) via \((e(g,g)^{\mathbf {A}^\top \mathbf {B}})_{i,j}=\prod _{k}e(g^{A_{k,i}},g^{B_{k,j}})\) where \(A_{i,j}\) and \(B_{i,j}\) denote the (i, j)th coefficient of \(\mathbf {A}\) and \(\mathbf {B}\) respectively. We will use \(e(g^{\mathbf {A}},g^\mathbf {B})=e(g,g)^{\mathbf {A}^\top \mathbf {B}}\) to denote this operation.
3 Broadcast Encoding: Definitions and Reductions
In this section, we define the syntax and the security notions for broadcast encoding. The syntax of our definition corresponds to a special case of “pair encoding” defined in [4] and is also similar to “predicate encoding” in [50]. As for the security requirement for the encoding, ours are slightly different from both. We define several flavours of the security requirement: perfect masterkey hiding security (PMH), computationalmasterkey hiding (CMH) security, and the multimasterkey hiding (MMH) security. The last one is useful, since we can obtain IBE scheme from broadcast encoding scheme satisfying the security notion, as we will explain in Sect. 4. However, MMH security is defined by relatively complex game and may not be easy to show. Later in this section, we will see that MMH security can be tightly reduced to much simpler CMH and PMH security.
3.1 Broadcast Encoding: Syntax
The broadcast encoding \(\mathsf {\Pi }\) consists of the following four deterministic algorithms.

\(\mathsf {Param}(n, N)\rightarrow d_1 :\) It takes as input an integer n and N and outputs \(d_1\in \mathbb {N}\) which specifies the number of common variables in \(\mathsf {CEnc}\) and \(\mathsf {KEnc}\). For the default notation, \(\mathbf {w}=(w_1,\ldots , w_{d_1}) \) denotes the list of common variables.
 \(\mathsf {KEnc}(\tau , N)\rightarrow (\mathbf {k}, d'_2 ):\) It takes as input \(\tau \in [n]\), \(N\in \mathbb {N}\), and outputs a vector of polynomials \(\mathbf {k}=(k_1, \ldots , k_{d_2})\) with coefficients in \(\mathbb {Z}_N\), and \(d'_2 \in \mathbb {N}\) that specifies the number of its own variables. We assume that \(d_2\) and \(d'_2\) only depend on n and do not depend on \(\tau \) without loss of generality. We require that each polynomials \(\mathbf {k}\) is a linear combination of monomials\(\alpha \), \(r_j\), \(w_k r_j\) where \(\alpha ,r_1,\ldots , r_{d'_2}, w_1,\ldots , w_{d_1}\) are variables. More precisely, it outputs \(\{b_{\iota } \}_{\iota \in [d_2]}\), \(\{ b_{\iota ,j} \}_{(\iota ,j)\in [d_2] \times [d'_2]}\), and \(\{ b_{\iota ,j,k} \}_{(\iota ,j,k)\in [d_2] \times [d'_2] \times [d_1]}\) in \(\mathbb {Z}_N\) such thatfor \(\iota \in [d_2]\).$$\begin{aligned}&k_{\iota }\Bigl (\alpha , r_1,\ldots , r_{d'_2},w_1,\ldots , w_{d_1} \Bigr ) \nonumber \\&\qquad \qquad \qquad = b_\iota \alpha + \Bigl (\sum _{j\in [d'_2]} b_{\iota ,j}r_j \Bigr ) + \Bigl (\sum _{(j,k)\in [d'_2]\times [d_1]} b_{\iota ,j,k}w_k r_j \Bigr ) \end{aligned}$$(4)

\(\mathsf {CEnc}(S,N)\rightarrow (\mathbf {c}, d'_3):\) It takes as input \(S\subseteq [n]\), \(N\in \mathbb {N}\), and outputs a vector of polynomials \(\mathbf {c}=(c_1, \ldots , c_{d_3})\) with coefficients in \(\mathbb {Z}_N\), and \(d'_3\in \mathbb {N}\) that specifies the number of its own variables. We require that polynomials \(\mathbf {c}\) in variables \(s_0, s_1,\ldots , s_{d'_3}, w_1,\ldots , w_{d_1}\) have the following form:
There exist (efficiently computable) set of coefficients \(\{ a_{\iota ,j} \}_{(\iota ,j)\in [d_3] \times [0,d'_3]}\) and \(\{ a_{\iota ,j,k} \}_{(\iota ,j,k)\in [d_3] \times [0,d'_3] \times [d_1]}\) in \(\mathbb {Z}_N\) such thatfor \(\iota \in [d_3]\). We also require that \(c_1 =s_0\).$$\begin{aligned}&c_\iota \Bigl (s_0, s_1,\ldots , s_{d'_3},w_1,\ldots , w_{d_1} \Bigr ) \nonumber \\&\qquad \qquad \qquad = \Bigl (\sum _{j\in [0, d'_3]} a_{\iota ,j}s_j \Bigr ) + \Bigl (\sum _{(j,k)\in [0, d'_3]\times [d_1]} a_{\iota ,j,k}w_k s_j \Bigr ) \end{aligned}$$(5) 
\(\mathsf {Pair}(\tau , S,N)\rightarrow \mathbf {E}:\) It takes as input \(\tau \in [n]\), \(S\subseteq [n]\), and \(N\in \mathbb {N}\) and outputs a matrix \(\mathbf {E}= (E_{i,j})_{i\in [d_2], j\in [d_3]} \in \mathbb {Z}_N^{d_2 \times d_3 }\).
 We require that for any n, N, \(d_1 \leftarrow \mathsf {Param}(n,N)\), \(\mathbf {k}\leftarrow \mathsf {KEnc}(\tau ,N)\), \(\mathbf {c}\leftarrow \mathsf {CEnc}(S,N)\), and \(\mathbf {E}\leftarrow \mathsf {Pair}(\tau , S, N)\), we have thatThe equation holds symbolically, or equivalently, as polynomials in variables \(\alpha , r_1,\ldots , r_{d'_2},s_0, s_1,\cdots , s_{d'_3}, w_1,\ldots , w_{d_1}\).$$\begin{aligned} \mathbf {k}\mathbf {E}\mathbf {c}^\top = \alpha s_0 \qquad \text{ whenever } \qquad \tau \in S. \end{aligned}$$

For p that divides N, if we let \(\mathsf {KEnc}(\tau , N) \rightarrow (\mathbf {k}, d'_2)\) and \(\mathsf {KEnc}(\tau , p) \rightarrow (\mathbf {k}', d''_2)\), then it holds that \(d'_2 = d''_2\) and \(\mathbf {k}\mod p = \mathbf {k}'\). The requirement for \(\mathsf {CEnc}\) is similar.
Note that since \(\mathbf {k}\mathbf {E}\mathbf {c}^\top = \sum _{(i,j)\in [d_2]\times [d_3]} E_{i,j} k_i c_j\), the first requirement amounts to check if there is a linear combination of \(k_ic_j\) terms summed up to \(\alpha s_0\). In the descriptions of proposed broadcast encoding schemes, which will appear later in this paper, we will not explicitly write down \(\mathbf {E}\). Instead, we will check this condition.
3.2 Broadcast Encoding: Security
Here, we define two flavours of security notions for broadcast encoding: perfect security and computational security. As we will see, the former implies the latter. In what follows, we denote \(\mathbf {w}= (w_1,\ldots , w_{d_1})\), \(\mathbf {r}=(r_1,\ldots , r_{d'_2})\), and \(\mathbf {s}=(s_0, s_1,\ldots , s_{d'_3})\).

\(\mathcal {O}^{\mathsf {CMH}, \mathsf {C}}_{\tau ^\star , \hat{\mathbf {w}} }(\cdot )\) takes \(S\subset [n]\) such that \(\tau ^\star \not \in S\) as input. It then runs \(\mathsf {CEnc}(S,N)\rightarrow (\mathbf {c},d'_3)\), picks \(\hat{\mathbf {s}}=(\hat{s}_0,\hat{s}_1, \ldots , \hat{s}_{d_3'} ) \overset{_\$}{\leftarrow } \mathbb {Z}_N^{d_3' + 1}\), and returns \(g_2^{\mathbf {c}(\hat{\mathbf {s}}, \hat{\mathbf {w}})}\). We note that \(\hat{\mathbf {s}}\) is freshly chosen every time the oracle is called.
 \(\mathcal {O}_{\tau ^\star , \hat{\mathbf {w}}, b}^{\mathsf {CMH}, \mathsf {K}}(\cdot )\) ignores its input. When it is called, it first runs \(\mathsf {KEnc}(\tau ^\star , N )\rightarrow (\mathbf {k}, d'_2)\) and picks \(\hat{\mathbf {r}} = (\hat{r}_1,\ldots , \hat{r}_{d'_2} ) \overset{_\$}{\leftarrow } \mathbb {Z}_N^{d'_2}\) and \(\hat{\alpha } \overset{_\$}{\leftarrow } \mathbb {Z}_N\). Then it returns$$\begin{aligned} g_2^{\mathbf {k}(b\cdot \hat{\alpha }, \hat{\mathbf {r}}, \hat{\mathbf {w}} )} = {\left\{ \begin{array}{ll} g_2^{\mathbf {k}(0, \hat{\mathbf {r}}, \hat{\mathbf {w}} )} &{} \text {if b=0} \\ g_2^{\mathbf {k}(\hat{\alpha }, \hat{\mathbf {r}}, \hat{\mathbf {w}} )} &{} \text {if b=1}. \end{array}\right. } \end{aligned}$$
We say that the broadcast encoding is QCMH secure on \(\mathbb {G}_{p_2}\) if \(\mathsf {Adv}^{\mathsf {CMH}}_{\mathcal {A},\mathsf {\Pi },Q,\mathbb {G}_{p_2}}(\kappa )\) is negligible for all PPT adversary \(\mathcal {A}\).
(Computational Security on\(\mathbb {G}_{p_3}\)). We define \(\mathsf {Adv}^{\mathsf {CMH}}_{\mathcal {A},\mathsf {\Pi },Q,\mathbb {G}_{p_3}}(\kappa )\) and QCMH security on \(\mathbb {G}_{p_3}\) via similar game, by swapping \(g_{2}\) and \(g_3\) in the above.
Comparison with Definition in [4]. By setting \(Q=1\), the QPMH and the QCMH security defined as above almost correspond to the perfect security and the coselective security defined in [4] respectively. We need to deal with the case of \(Q\gg 1\) in order to handle the multichallenge setting. Another difference is that we use groups with the order being a product of four primes, while they deal with a product of three primes.
We have the following lemma which indicates that QPMH security unconditionally implies QCMH security on both of \(\mathbb {G}_{p_2}\) and \(\mathbb {G}_{p_3}\).
Lemma 1
Assume that a broadcast encoding \(\mathsf {\Pi }\) satisfies QPMH security for some \(Q\in \mathbb {N}\). Then it follows that \(\mathsf {Adv}^{\mathsf {CMH}}_{\mathcal {A},\mathsf {\Pi },Q, \mathbb {G}_{p_i}}(\kappa ) \le d'_2/p_i\) for \(i\in \{ 2,3\}\).
3.3 Multimasterkey Hiding Security in Composite Order Groups
Here, we define multimasterkey hiding security for a broadcast encoding, which is more complex security notion compared to the CMH security. A broadcast encoding scheme that satisfies the security notion can be converted into an IBE scheme as we will see in Sect. 4.

\(\mathcal {O}^{\mathsf {MMH}, \mathsf {C}}_{\tau ^\star , \mathbf {w}}(\cdot )\) takes \(S \subset [n]\) such that \(\tau ^\star \not \in S\) as input. It then runs \(\mathsf {CEnc}(S,N)\rightarrow (\mathbf {c},d'_3)\), picks \(\mathbf {s}\overset{_\$}{\leftarrow } \mathbb {Z}_N^{d_3' + 1}\) and \(\hat{\mathbf {s}} \overset{_\$}{\leftarrow } \mathbb {Z}_N^{d_3' + 1}\) and returns \(g_1^{\mathbf {c}(\mathbf {s}, \mathbf {w})} \cdot g_2^{\mathbf {c}(\hat{\mathbf {s}}, \mathbf {w})}\).
 \(\mathcal {O}_{\tau ^\star , \mathbf {w}, b}^{\mathsf {MMH}, \mathsf {K}}(\cdot )\) ignores its input. When it is called, it first runs \(\mathsf {KEnc}(\tau ^\star , N)\rightarrow (\mathbf {k}, d'_2)\), picks \(\hat{\alpha } \overset{_\$}{\leftarrow } \mathbb {Z}_N\), \(\mathbf {r}\overset{_\$}{\leftarrow } \mathbb {Z}_N^{d'_2}\), \(\varvec{\delta }\overset{_\$}{\leftarrow } \mathbb {Z}_N^{d_2}\). Then it returns$$\begin{aligned} g_1^{\mathbf {k}(0, \mathbf {r}, \mathbf {w})} \cdot g_2^{\mathbf {k}(b\cdot \hat{\alpha },\mathbf {0}, \mathbf {0})} \cdot g_{4}^{\varvec{\delta }}= {\left\{ \begin{array}{ll} g_1^{\mathbf {k}(0,\mathbf {r},\mathbf {w})} \cdot g_{4}^{\varvec{\delta }} &{} \text {if b=0} \\ g_1^{\mathbf {k}(0, \mathbf {r}, \mathbf {w})} \cdot g_2^{\mathbf {k}(\hat{\alpha },\mathbf {0}, \mathbf {0})} \cdot g_{4}^{\varvec{\delta }} &{} \text {if b=1}. \end{array}\right. } \end{aligned}$$
In the above, \(\mathbf {r}\), \(\hat{\alpha }\), and \(\varvec{\delta }\) as well as \(\mathbf {s}\) and \(\hat{\mathbf {s}}\) are all freshly chosen every time the corresponding oracle is called. We say that the broadcast encoding is \((Q_c,Q_k )\)MMH secure on \(\mathbb {G}_{p_2}\) if \(\mathsf {Adv}^{\mathsf {MMH}}_{\mathcal {A},\mathsf {\Pi },(Q_c,Q_k),\mathbb {G}_{p_2}}(\kappa )\) is negligible for all PPT adversary \(\mathcal {A}\).
Multimasterkey Hiding Security (on\(\mathbb {G}_{p_3}\)). We define \((Q_c, Q_k)\)MMH security on \(\mathbb {G}_{p_3}\) and \(\mathsf {Adv}^{\mathsf {MMH}}_{\mathcal {A},\mathsf {\Pi },(Q_c,Q_k),\mathbb {G}_{p_3}}(\kappa )\) similarly to the above. The difference is the following.

The input to \(\mathcal {A}\) is replaced with \((g_1,g_1^{\mathbf {w}}, g_2^{\mathbf {w}}, g_{34}, g_2, g_4)\).

\(g_1^{\mathbf {c}(\mathbf {s}, \mathbf {w})} \cdot g_2^{\mathbf {c}(\hat{\mathbf {s}}, \mathbf {w})}\) in the above is replaced with \(g_1^{\mathbf {c}(\mathbf {s}, \mathbf {w})} \cdot g_3^{\mathbf {c}(\hat{\mathbf {s}}, \mathbf {w})}\).

\(g_1^{\mathbf {k}(0, \mathbf {r}, \mathbf {w})} \cdot g_2^{\mathbf {k}(b\cdot \hat{\alpha },\mathbf {0}, \mathbf {0})} \cdot g_{4}^{\varvec{\delta }}\) is replaced with \(g_1^{\mathbf {k}(0, \mathbf {r}, \mathbf {w})} \cdot g_3^{\mathbf {k}(b\cdot \hat{\alpha },\mathbf {0}, \mathbf {0})} \cdot g_{4}^{\varvec{\delta }}\).
3.4 Reduction from MMH Security to CMH Security
We can prove the following theorem that indicates that the \((Q_c,Q_k )\)MMH security for a broadcast encoding on \(\mathbb {G}_{p_2}\) (resp. \(\mathbb {G}_{p_3}\)) can be tightly reduced to its \(Q_c\)CMH security on \(\mathbb {G}_{p_2}\)(resp. \(\mathbb {G}_{p_3}\)) and the hardness of the Problem 2 (resp. 3).
Theorem 1
4 Almost Tight IBE from Broadcast Encoding in CompositeOrder Groups
In this section, we show a generic conversion from a broadcast encoding scheme to an IBE scheme. An important property of the resulting IBE scheme is that \((\mu ,Q_c,Q_k)\)security of the scheme can be almost tightly reduced to the \(Q_c\)CMH security of the underlying broadcast encoding scheme (and Problems 1, 2, 3, 4, and 5). In particular, the reduction only incurs small polynomial security loss, which is independent of \(\mu \) and \(Q_k\). Therefore, if the underlying broadcast encoding scheme is tightly \(Q_c\)CMH secure, which is the case for all of our constructions, the resulting IBE scheme obtained by the conversion is almost tightly secure. Note that in the following construction, we have \(\mathsf {sp}= \bot \). This mean that the key generation algorithm \(\mathsf {Par}\)does not output any secret parameter. This property will be needed to convert our IBE scheme into CCA secure PKE scheme in Sect. 8.
Construction. Here, we construct an IBE scheme \(\mathsf {\Phi }^\mathsf {comp}\) from a broadcast encoding \(\mathsf {\Pi }= (\mathsf {Param}, \mathsf {KEnc}, \mathsf {CEnc},\mathsf {Pair})\). Let the identity space of the scheme be \(\mathcal {ID}= \{ 0,1 \}^{\ell }\) and the message space be \(\mathcal {M}= \{ 0,1 \}^m\). We also let \(\mathcal {H}\) be a family of pairwise independent hash functions \( \mathsf {H}: \mathbb {G}_T \rightarrow \mathcal {M}\). We assume that \(\sqrt{\frac{2^m}{p_2}}=2^{{\varOmega }(\kappa )}\) so that the leftover hash lemma can be applied in the security proof.

\(\mathsf {Par}(1^\kappa ):\) It first runs \((N,\mathbb {G},\mathbb {G}_T, g_1, g_2, g_3, g_4, e(\cdot ) ) \overset{_\$}{\leftarrow } \mathcal {G}_{\mathsf {comp}}(1^\kappa )\) and \(\mathsf {Param}(2\ell , N) \rightarrow d_1\). Then it picks \(\mathbf {w}\overset{_\$}{\leftarrow } \mathbb {Z}_N^{d_1}\), \(a \overset{_\$}{\leftarrow } \mathbb {Z}_N^*\), \(\mathsf {H}\overset{_\$}{\leftarrow } \mathcal {H}\) and sets \(h := (g_1 g_2 g_3 g_4)^a\). Finally, it outputs \(\mathsf {pp}= (g_1, g_1^{\mathbf {w}}, g_4, h, \mathsf {H})\) and \(\mathsf {sp}=\bot \).

\(\mathsf {Gen}(\mathsf {pp}, \mathsf {sp}):\) It picks \(\alpha \overset{_\$}{\leftarrow } \mathbb {Z}_N\) and outputs \(\mathsf {mpk}= (\mathsf {pp}, e(g_1, h)^\alpha )\) and \(\mathsf {msk}= \alpha \).
 \(\mathsf {Ext}(\mathsf {msk}, \mathsf {mpk}, \mathsf {ID}):\) It first sets \(S = \{2i  \mathsf {ID}_{i}  i\in [\ell ] \}\) where \(\mathsf {ID}_i \in \{ 0,1 \}\) is the ith bit of \(\mathsf {ID}\in \{ 0,1 \}^\ell \). Then it runs \(\mathsf {KEnc}(j,N)\rightarrow \bigl (\mathbf {k}_{j}, d'_{2} \bigr )\) and picks \(\mathbf {r}_{j} \overset{_\$}{\leftarrow } \mathbb {Z}_N^{d'_{2}}\) and \(\varvec{\delta }_{j}\overset{_\$}{\leftarrow } \mathbb {Z}_N^{d_2}\) for all \(j \in S\). It also picks random \(\{ \alpha _{j} \in \mathbb {Z}_N \}_{j \in S}\) subject to constraint that \(\alpha = \sum _{j\in S}\alpha _{j} \). Then, it computes \(g_1^{ \mathbf {k}_{j}(0,\mathbf {r}_{j},\mathbf {w}) }\), \(\mathsf {Pair}(j, S, N)\rightarrow \mathbf {E}_{j}\), andfor all \(j\in S\). Note that \(g_1^{ \mathbf {k}_{j}(0,\mathbf {r}_{j},\mathbf {w}) }\) can be computed from \(g_1^{\mathbf {w}}\) and \(\mathbf {r}_j=(r_{j,1}, \ldots , r_{j,d'_2})\) efficiently because \(\mathbf {k}_j(0,\mathbf {r}_j,\mathbf {w})\) contains only linear combinations of monomials \(r_{j,i}\), \(r_{j,i} w_{j'}\). Finally, it outputs private key \( \mathsf {sk}_{\mathsf {ID}}= \prod _{j\in S} (\mathsf {sk}_{j} )^{\mathbf {E}_j} . \)$$\begin{aligned} \mathsf {sk}_{j}= h^{\mathbf {k}_j(\alpha _j, \mathbf {0}, \mathbf {0})} \cdot g_1^{\mathbf {k}_{j}(0,\mathbf {r}_{j},\mathbf {w})} \cdot g_4^{\varvec{\delta }_{j}} \end{aligned}$$
 \(\mathsf {Enc}(\mathsf {mpk}, \mathsf {ID}, \mathsf {M}):\) It first sets \(S = \{2i  \mathsf {ID}_{i}  i\in [\ell ] \}\). Then it runs \(\mathsf {CEnc}(S,N) \rightarrow (\mathbf {c}, d'_3)\), picks \(\mathbf {s}=(s_0,s_1,\ldots , s_{d'_3}) \overset{_\$}{\leftarrow } \mathbb {Z}_N^{d'_3 +1}\), and computes \(g_1^{\mathbf {c}(\mathbf {s},\mathbf {w})}\). Note that \(g_1^{\mathbf {c}(\mathbf {s},\mathbf {w})}\) can be computed from \(g_1^{\mathbf {w}}\) and \(\mathbf {s}\) efficiently because \(\mathbf {c}(\mathbf {s},\mathbf {w})\) contains only linear combinations of monomials \(s_i\), \(s_i w_j\). Finally, it outputsHere, \(\oplus \) denotes bitwise exclusive OR of two bit strings.$$\begin{aligned} \mathsf {CT}= \left( ~ C_1 = g_1^{\mathbf {c}(\mathbf {s},\mathbf {w})},\quad C_2 = \mathsf {H}\bigl (e(g_1, h)^{s_0 \alpha } \bigr ) \oplus \mathsf {M}~ \right) \!. \end{aligned}$$

\(\mathsf {Dec}(\mathsf {sk}_{\mathsf {ID}}, \mathsf {CT}):\) It parses \(\mathsf {CT}\rightarrow (C_1, C_2)\) and computes \(e(\mathsf {sk}_\mathsf {ID}^\top , C_1^\top )= e(g_1,h)^{s_0 \alpha }\). Then, it recovers the message by \(\mathsf {M}= C_2 \oplus \mathsf {H}(e(g_1,h)^{s_0 \alpha } )\).
Security. The following theorem indicates that the security of the IBE is (almost) tightly reduced to the MMH security of the underlying broadcast encoding on \(\mathbb {G}_{p_2}\) and \(\mathbb {G}_{p_3}\) and Problems 1, 4, and 5. Combining the theorem with Theorem 1, the security of the scheme can be almost tightly reduced to the \(Q_c\)CMH security of the underlying encoding (and Problems 1, 2, 3, 4, and 5). The reduction only incurs \(O(\ell )\) security loss.
Theorem 2
5 Framework for Constructions in PrimeOrder Groups
In Sects. 3 and 4, we show our framework to construct almost tightly secure IBE in compositeorder groups. Since we carefully constructed the framework so that we only use the subgroup decision assumptions and the DBDH assumption in the security proof, we can apply recent compositeordertoprimeorder conversion techniques in the literature [2, 3, 16, 18] to the framework. We choose to use [3], but other choices might be possible. In this section, we show our framework for constructing almost tightly secure IBE in primeorder groups. Our framework is almost parallel to that in compositeorder groups. Namely, we define CMH security and MMH security in primeorder groups. Then, we show reduction between them. Finally, we show a generic construction of IBE scheme from broadcast encoding and show that the scheme is (almost) tightly secure if the underlying encoding is tightly CMH secure.
In the following, we will use asymmetric bilinear group \((\mathbb {G}_1,\mathbb {G}_2,\mathbb {G}_T)\) of prime order p with efficiently computable and nondegenerate bilinear map \(e(\cdot ):\mathbb {G}_1 \times \mathbb {G}_2 \rightarrow \mathbb {G}_T\). For our purpose, we define a primeorder bilinear group generator \(\mathcal {G}_{\mathsf {prime}}\) that takes as input a security parameter \(1^\kappa \) and outputs \((p,\mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T, g,h, e(\cdot ) )\) where g and h are random generator of \(\mathbb {G}_1\) and \(\mathbb {G}_2\), respectively. Let \(\pi _1 : \mathbb {Z}_{p}^{4\times 4} \rightarrow \mathbb {Z}_{p}^{4\times 2}\), \(\pi _2: \mathbb {Z}_{p}^{4\times 4} \rightarrow \mathbb {Z}_{p}^{4\times 1}\), and \(\pi _3: \mathbb {Z}_{p}^{4\times 4} \rightarrow \mathbb {Z}_{p}^{4\times 1}\) be the projection maps that map a \(4 \times 4\) matrix to the leftmost 2 columns, the third column, and the fourth column, respectively.
Intuition. In primeorder groups, we work with \(4\times 4\) matrix. The first two dimensions serve as “normal space” (corresponding to \(\mathbb {G}_{p_1}\)), while the third and the fourth dimension serve as double “semifunctional spaces” (corresponding to \(\mathbb {G}_{p_2}\) and \(\mathbb {G}_{p_3}\)). There is no corresponding dimension to \(\mathbb {G}_{p_4}\). While the use of \(4\times 4\) matrices is similar to Chen and Wee [17, 19]^{5}, conceptually, our techniques are quite different from theirs. They use the first two dimensions as a normal space and the last two dimensions as single semifunctional space. In contrast, we introduce additional semifunctional space to be able to prove the multichallenge security rather than singlechallenge security. Furthermore, due to our new proof technique, these semifunctional spaces are smaller compared to those of [17, 19].
5.1 Preparation
Correctness of Encoding. Let \(\tau \in [n]\) and \(S\subseteq [n]\) be an index and a set such that \(\tau \in S\). Let also \(\mathsf {KEnc}(\tau ,p)\rightarrow \bigl (\mathbf {k}, d'_{2} \bigr )\), \(\mathsf {CEnc}(S,p) \rightarrow (\mathbf {c}, d'_3)\), and \(\mathsf {Pair}(\tau , S, p) \rightarrow \mathbf {E}=(E_{\eta ,\iota })_{(\eta ,\iota )\in [d_2]\times [d_3]} \in \mathbb {Z}_p^{d_2 \times d_3 }\). Then, by the correctness of the broadcast encoding, we have \(\sum _{(\eta ,\iota )\in [d_2]\times [d_3]} E_{\eta ,\iota } k_{\eta } c_{\iota }=\alpha s_0\) (the equation holds symbolically). From this, we have the following. (Note that the claim is shown similarly to Claim 15 in [3].)
Lemma 2
We have \( \sum _{(\eta ,\iota )\in [d_2]\times [d_3]} E_{\eta ,\iota }\cdot k_{\mathbf {Z},\eta }(\varvec{\alpha }, \mathbf {X}, \mathbb {W})^\top c_{\mathbf {B},\iota }(\mathbf {Y},\mathbb {W}) = \varvec{\alpha }^\top \mathbf {B}\mathbf {y}_0. \)
CMH and MMH Security. In the full version [6], we define the QCMH security for broadcast encoding on primeorder groups, analogously to the corresponding notion on compositeorder groups. We also define the \((Q_c,Q_k)\)MMH security for broadcast encoding on primeorder groups. The former is (unconditionally) implied by the QPMH security. Furthermore, we can show that the latter is tightly reduced to the former, similarly to the case in compositeorder groups.
5.2 Almost Tightly Secure IBE from Broadcast Encoding in Prime Order Groups
Here, we construct an IBE scheme \(\mathsf {\Phi }^\mathsf {prime}\) from broadcast encoding scheme \(\mathsf {\Pi }= (\mathsf {Param}, \mathsf {KEnc}, \mathsf {CEnc}, \mathsf {Pair})\). Let the identity space of \(\mathsf {\Phi }^\mathsf {prime}\) be \(\mathcal {ID}= \{ 0,1 \}^{\ell }\) and the message space \(\mathcal {M}\) be \(\mathcal {M}= \mathbb {G}_T\). We will not use pairwise independent hash function differently from our construction in compositeorder groups. We note that similarly to our construction in compositeorder groups, we have \(\mathsf {sp}= \bot \) in the following.
 \(\mathsf {Par}(1^\kappa , \ell ):\) It first runs \((p,\mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T, g,h, e(\cdot ) ) \overset{_\$}{\leftarrow } \mathcal {G}_{\mathsf {prime}}(1^\kappa )\) and \(\mathsf {Param}(2\ell , p) \rightarrow d_1\). Then it picks \(\mathbf {B}\overset{_\$}{\leftarrow } \mathbb {GL}_{4}(\mathbb {Z}_p)\), \(\mathbb {W}=(\mathbf {W}_1,\ldots , \mathbf {W}_{d_1})\overset{_\$}{\leftarrow } (\mathbb {Z}_p^{4 \times 4})^{d_1}\) and a random fullrank diagonal matrix \(\mathbf {D}\in \mathbb {Z}_p^{ 4 \times 4 }\) with the entries (3, 3) and (4, 4) being 1. Finally, it sets \(\mathbf {Z}= \mathbf {B}^{\top }\mathbf {D}\) and outputs$$\begin{aligned} \mathsf {pp}=\left( \begin{matrix} g,&{} g^{\pi _1(\mathbf {B})},&{} g^{\pi _1(\mathbf {W}_1 \mathbf {B})}, &{}\ldots ,&{}g^{\pi _1(\mathbf {W}_{d_1} \mathbf {B})} \\ h, &{} h^{\pi _1(\mathbf {Z})},&{} h^{\pi _1(\mathbf {W}^\top _1 \mathbf {Z})},&{} \ldots ,&{} h^{\pi _1(\mathbf {W}^\top _{d_1} \mathbf {Z})} \end{matrix} \right) \quad \text{ and } \quad \mathsf {sp}= \bot . \end{aligned}$$
In the following, we will omit subscript \(\mathbf {B}\) and \(\mathbf {Z}\) from \(\mathbf {c}_{\mathbf {B}}(\mathbf {S},\mathbb {W}) \) and \(\mathbf {k}_{\mathbf {Z}}(\varvec{\alpha }, \mathbf {R}, \mathbb {W})\) and just denote \(\mathbf {c}(\mathbf {S},\mathbb {W}) \) and \(\mathbf {k}(\varvec{\alpha }, \mathbf {R}, \mathbb {W})\) for ease of notation. \(\mathbf {B}\) and \(\mathbf {Z}\) are fixed in the following and clear from the context.

\(\mathsf {Gen}(\mathsf {pp}):\) It picks \(\varvec{\alpha }\overset{_\$}{\leftarrow } \mathbb {Z}_{p}^{4\times 1}\) and outputs \(\mathsf {mpk}= (\mathsf {pp},e(g,h)^{\varvec{\alpha }^\top \pi _1(\mathbf {B})} )\) and \(\mathsf {msk}= \varvec{\alpha }\).
 \(\mathsf {Ext}(\mathsf {msk}, \mathsf {mpk}, \mathsf {ID}):\) It first sets \(S = \{2i  \mathsf {ID}_{i}  i\in [\ell ] \}\) where \(\mathsf {ID}_i \in \{ 0,1 \}\) is the ith bit of \(\mathsf {ID}\in \{ 0,1 \}^\ell \). Then it runs \(\mathsf {KEnc}(j,p)\rightarrow \bigl (\mathbf {k}_{j}, d'_{2} \bigr )\), picks \(\mathbf {r}_{j,1}, \ldots , \mathbf {r}_{j,d'_2} \overset{_\$}{\leftarrow } \mathbb {Z}_p^{2\times 1}\), and sets Open image in new window for all \(j\in S\). It also picks random \(\{ \varvec{\alpha }_{j} \in \mathbb {Z}_p^{4\times 1} \}_{j \in S}\) subject to constraint that \(\varvec{\alpha }= \sum _{j\in S}\varvec{\alpha }_{j} \). Then, it computes \(\mathsf {Pair}(j, S, p)\rightarrow \mathbf {E}_{j}=(E_{j,\eta ,\iota })_{(\eta ,\iota )\in [d_2]\times [d_3]}\) andfor all \(j\in S\). Note that \(h^{\mathbf {k}_{j}(\varvec{\alpha }_{j},\mathbf {R}_{j},\mathbb {W})}\) can be computed from \(\varvec{\alpha }_j\), \(h^{\pi _1(\mathbf {Z})}\), and \(\{ g^{\pi _1(\mathbf {W}_i^\top \mathbf {Z})} \}_{i\in [d_1]}\) efficiently because \(\mathbf {k}_{j}(\varvec{\alpha }_{j},\mathbf {R}_{j},\mathbb {W}) = \{ k_{j,\iota }(\varvec{\alpha }_{j},\mathbf {R}_{j},\mathbb {W}) \}_{\iota \in [d_2]}\) contains only linear combination of \(\varvec{\alpha }_j\), Open image in new window , and Open image in new window . Finally, it outputs private key \( \mathsf {sk}_{\mathsf {ID}}=\left\{ \prod _{j\in S, \eta \in [d_2]}\right. \left. \mathsf {sk}_{j,\eta }^{E_{j,\eta ,\iota }} \right\} _{\iota \in [d_3]}. \)$$\begin{aligned} \mathsf {sk}_{j}= h^{\mathbf {k}_{j}(\varvec{\alpha }_{j},\mathbf {R}_{j},\mathbb {W})} = \{ \mathsf {sk}_{j,\eta } = h^{k_{j,\eta }(\varvec{\alpha }_{j},\mathbf {R}_{j},\mathbb {W})} \}_{\eta \in [d_2]} \end{aligned}$$
 \(\mathsf {Enc}(\mathsf {mpk}, \mathsf {ID}, \mathsf {M}):\) It first sets \(S = \{2i  \mathsf {ID}_{i}  i\in [\ell ] \}\). Then it runs \(\mathsf {CEnc}(S,p) \rightarrow (\mathbf {c}, d'_3)\), picks \(\mathbf {s}_0, \mathbf {s}_1, \ldots , \mathbf {s}_{d'_3} \overset{_\$}{\leftarrow } \mathbb {Z}_p^{2\times 1}\), and sets Open image in new window . Then it returnsNote that \(g^{\mathbf {c}(\mathbf {S},\mathbb {W})}\) can be computed from \(g^{\pi _1(\mathbf {B})}\) and \(\{ g^{\pi _1(\mathbf {W}_i \mathbf {B})} \}_{i\in [d_1]}\) efficiently because \(\mathbf {c}(\mathbf {S},\mathbb {W})\) contains only linear combinations of Open image in new window and Open image in new window . \(C_2\) can be computed from \( e(g,h)^{\varvec{\alpha }^\top \pi _1(\mathbf {B})} \).$$\begin{aligned} \mathsf {CT}= \left( ~ C_1 = g^{\mathbf {c}(\mathbf {S},\mathbb {W})}, \quad C_2 = e(g, h)^{ \varvec{\alpha }^\top \pi _1(\mathbf {B}) \mathbf {s}_0 } \cdot \mathsf {M}~ \right) . \end{aligned}$$
 \(\mathsf {Dec}(\mathsf {sk}_{\mathsf {ID}}, \mathsf {CT}):\) Let \(\mathsf {CT}\) be \(\mathsf {CT}= (C_1, C_2)\). From \(C_1 = g^{\mathbf {c}(\mathbf {S},\mathbb {W})} = \{ g^{c_{\iota }(\mathbf {S},\mathbb {W})} \}_{\iota \in [d_3]}\), it computesand recovers the message by \(C_2/e(g,h )^{\varvec{\alpha }^\top \pi _1(\mathbf {B})\mathbf {s}_0} = \mathsf {M}\).$$\begin{aligned} \prod _{\iota \in [d_3]} e\left( g^{ c_{\iota }(\mathbf {S}, \mathbb {W})},\prod _{j\in S, \eta \in [d_2]} \mathsf {sk}_{j,\eta }^{E_{\eta ,\iota }} \right) = e(g,h )^{\varvec{\alpha }^\top \pi _1(\mathbf {B})\mathbf {s}_0} \end{aligned}$$(6)
Security. Assume that the broadcast encoding satisfies regularity requirement. Then, we can show that the security of the above IBE is reduced to the hardness of the (standard) decisional linear assumption and the \((Q_c,Q_k)\)MMH security of the underlying broadcast encoding on primeorder groups. The reduction only incurs \(O(\ell )\) security loss. Since the \(Q_c\)CMH security tightly implies \((Q_c,Q_k)\)MMH security, the above IBE scheme is (almost) tightly secure if the underlying broadcast encoding is tightly \(Q_c\)CMH. The details will appear in the full version [6].
6 Construction of Broadcast Encoding Schemes
In this section, we show two broadcast encoding schemes \(\mathsf {\Pi }_{\mathsf {cc}}\) and \(\mathsf {\Pi }_{\mathsf {slp}}\). For these schemes, we can tightly prove the \(Q_c\)CMH security for any \(Q_c\). Therefore, by applying the conversion in Sects. 4 and 5, we obtain IBE schemes with almost tight security in the multichallenge and multiinstance setting both in prime and compositeorder groups. An IBE obtained from \(\mathsf {\Pi }_\mathsf {cc}\) achieves constantsize ciphertexts, but at the cost of requiring public parameters with the number of group elements being linear in the security parameter. Our second broadcast encoding scheme \(\mathsf {\Pi }_{\mathsf {slp}}\) partially compensate for this. By appropriately setting parameters, we can realize tradeoff between size of ciphertexts and public parameters. For example, from the encoding, we obtain the first almost tightly secure IBE with all communication cost (the size of \(\mathsf {pp}\) and \(\mathsf {CT}\)) being \(O(\sqrt{\kappa })\). Such a scheme is not known even in the singlechallenge setting [9, 17]. While the structure of \(\mathsf {\Pi }_{\mathsf {cc}}\) is implicit in [25], \(\mathsf {\Pi }_{\mathsf {slp}}\) is new. The construction of \(\mathsf {\Pi }_{\mathsf {slp}}\) is inspired by recent works on unbounded attributebased encryption schemes [38, 43, 44]. However, the security proof for the encoding is completely different.
6.1 Broadcast Encoding with ConstantSize Ciphertexts
At first, we show the following broadcast encoding scheme that we call \(\mathsf {\Pi }_{\mathsf {cc}}\). The scheme has the same structure as the broadcast encryption scheme proposed by Gentry and Waters [25]. For \(\mathsf {\Pi }_{\mathsf {cc}}\), we can prove QPMH security for any Q. By Lemma 1, we have that QCMH security of \(\mathsf {\Pi }_{\mathsf {cc}}\) on \(\mathbb {G}_{p_2}\) and \(\mathbb {G}_{p_3}\) can be tightly proven unconditionally. Similar implication holds in primeorder groups.

\(\mathsf {Param}(n,N)\rightarrow d_1:\) It outputs \(d_1 = n\).

\(\mathsf {KEnc}(\tau ,N)\rightarrow (\mathbf {k},d'_2):\) It outputs \(\mathbf {k}= (\alpha + r w_{\tau }, rw_1,\ldots , rw_{\tau 1}, r, rw_{\tau +1}, \ldots , rw_n)\) and \(d'_2 = 1\) where \(\mathbf {r}= r\).

\(\mathsf {CEnc}(S,N)\rightarrow (\mathbf {c}, d'_3):\) Let \(S\subseteq [n]\). It outputs \(\mathbf {c}= (s,~ \sum _{j\in S}sw_j )\) and \(d'_3=0\) where \(\mathbf {s}= s\).
Lemma 3
\(\mathsf {\Pi }_{\mathsf {cc}}\) defined above is QPMH secure for any \(Q \in \mathbb {N}\).
Proof
Let \(\tau \not \in \cup _{j\in [Q]} S_j \). It is clear that information on \(w_{\tau }\) is not leaked given \( \{ \mathbf {c}_{S_j}(\mathbf {s}_j,\mathbf {w}) \}_{j\in [Q] }\). Thus, \(\alpha \) is informationtheoretically hidden from \( \mathbf {k}_\tau (\alpha , \mathbf {r}, \mathbf {w})\), because \(\alpha \) is masked by \(rw_\tau \) which is uniformly random over \(\mathbb {Z}_p\). Thus, the lemma follows.
6.2 Encoding with Sublinear Parameters
We propose the following broadcast encoding scheme that we call \(\mathsf {\Pi }_{\mathsf {slp}}\). We can realize tradeoff between sizes of parameters by setting \(n_1\). For the encoding scheme, we are not able to show the QPMH security. Instead, we show the QCMH security.

\(\mathsf {Param}(n,N)\rightarrow d_1:\) It outputs \(d_1 = 2 n_1 + 3\). We let \(n_2 = \lceil n/n_1 \rceil \). For ease of the notation, we will denote \(\mathbf {w}= (u_1,\ldots ,u_{n_1}, v, u'_1,\ldots ,u'_{n_1}, v', w)\) in the following.
 \(\mathsf {KEnc}(\tau ,N)\rightarrow (\mathbf {k},d'_2):\) It computes unique \(\tau _1 \in [n_1]\) and \(\tau _2 \in [n_2]\) such that \(\tau =\tau _1 + (\tau _2 1 )\cdot n_1 \). Then it sets \(d'_2=1\) and \(\mathbf {r}= r\) and outputs$$\begin{aligned} \mathbf {k}= \left( ~ \alpha + rw, r, r(v+ \tau _2 u_{\tau _1}), \{ ru_i \}_{i\in [n_1]\backslash \{ \tau _1 \} }, r(v'+ \tau _2 u'_{\tau _1}), \{ ru'_i \}_{i\in [n_1]\backslash \{ \tau _1 \} } \right) \!. \end{aligned}$$
 \(\mathsf {CEnc}(S,N)\rightarrow (\mathbf {c}, d'_3):\) It first defines \(\tilde{S}_j\) and \(S_j\) for \(j\in [n_2]\) assets \(\mathbf {s}= (s_0,t_1,\ldots , t_{n_2}, t'_1,\ldots , t'_{n_2} )\) and \(d'_3= 2n_2 +1\), and outputs$$\begin{aligned} \tilde{S}_j = S \cap [(j1)n_1 +1, jn_1], \quad S_j = \{ j'  (j1)n_1 ~  ~ j'\in \tilde{S}_j \}, \end{aligned}$$$$\begin{aligned} \mathbf {c}= \Bigl (s_0, ~ \{ ~ s_0w + t_{i} \bigl (v + i \sum _{j \in S_i} u_{j} \bigr ) + t'_{i} \bigl (v' + i \sum _{j \in S_i} u'_{j} \bigr ), \quad t_{i},\quad t'_i ~ \}_{i\in [n_2]} \Bigr ). \end{aligned}$$
6.3 Implications
For \(\mathsf {\Pi }_{\mathrm{xx}}\), we call an IBE scheme obtained by applying the conversion in Sect. 4 to \(\mathsf {\Pi }_{\mathrm{xx}}\)\(\mathsf {\Phi }^\mathsf {comp}_{\mathrm{xx}}\). Similarly, we call a scheme obtained by the conversion in Sect. 5.2\(\mathsf {\Phi }^\mathsf {prime}_{\mathrm{xx}}\). \(\mathsf {\Phi }^\mathsf {prime}_{{\mathsf {cc}}}\) and \(\mathsf {\Phi }^\mathsf {prime}_{{\mathsf {slp}}}\) are the first IBE schemes that are (almost) tightly secure in the multichallenge and multiinstance setting, from a static assumption in primeorder groups (the DLIN assumption). \(\mathsf {\Phi }^\mathsf {comp}_{{\mathsf {cc}}}\) and \(\mathsf {\Phi }^\mathsf {prime}_{{\mathsf {cc}}}\) achieve constantsize ciphertext, meaning the number of group elements in ciphertexts is constant. The drawback of the schemes is their long public parameters. In \(\mathsf {\Phi }^\mathsf {comp}_{{\mathsf {slp}}}\) and \(\mathsf {\Phi }^\mathsf {prime}_{{\mathsf {slp}}}\), we can tradeoff the size of ciphertexts and public parameters. For example, by setting \(n_1 = \sqrt{n}\), we obtain the first almost tightly secure IBE scheme such that all communication cost (the size of the public parameters, the master public keys, and the ciphertexts) is sublinear in the security parameter. Such a scheme is not known in the literature, even in the singlechallenge and singleinstance setting. Also see Table 1 in Sect. 1 for the overview of the obtained schemes.
7 Anonymous IBE with Tight Security Reduction
All our IBE schemes obtained so far is not anonymous. In these schemes, one can efficiently check that a ciphertext is in a specific form using pairing computation, which leads to an attack against anonymity. In this section, we show that \(\mathsf {\Phi }^\mathsf {prime}_\mathsf {cc}\) can be modified to be anonymous, by removing all group elements in \(\mathbb {G}_2\) from the public parameter \(\mathsf {pp}\) and put these in \(\mathsf {sp}\) instead. We call the resulting scheme \(\mathsf {\Phi }_\mathsf {anon}\). This is the first IBE scheme whose anonymity is (almost) tightly proven in the multichallenge setting. While our technique for making the scheme anonymous is similar to that in [16], the security proof for our scheme requires some new ideas. This is because [16] only deals with the singlechallenge setting whereas we prove tight security in the multichallenge setting. In the security proof, we introduce new combination of informationtheoretic argument (as in [16]) and computational argument.
Construction. Let the identity space of the scheme be \(\{ 0,1 \}^\ell \) and the message space be \(\mathbb {G}_T\). We note that we have \(\mathsf {sp}\ne \bot \) in the following, differently from other constructions in this paper.

\(\mathsf {Par}(1^\kappa , \ell ):\) It first runs \((p,\mathbb {G}_1, \mathbb {G}_2, \mathbb {G}_T, g,h, e(\cdot ) ) \overset{_\$}{\leftarrow } \mathcal {G}_{\mathsf {prime}}(1^\kappa )\). Then it picks \(\mathbf {B}\overset{_\$}{\leftarrow } \mathbb {GL}_{4}(\mathbb {Z}_p)\), \(\mathbf {W}_1,\ldots , \mathbf {W}_{2\ell } \overset{_\$}{\leftarrow } \mathbb {Z}_p^{4 \times 4}\) and a random fullrank diagonal matrix \(\mathbf {D}\in \mathbb {Z}_p^{ 4 \times 4 }\) with the entries (3, 3) and (4, 4) being 1. Finally, it sets \(\mathbf {Z}= \mathbf {B}^{\top }\mathbf {D}\) and returns \(\mathsf {pp}=(g, g^{\pi _1(\mathbf {B})}, g^{\pi _1(\mathbf {W}_1 \mathbf {B})}, \ldots ,g^{\pi _1(\mathbf {W}_{2\ell } \mathbf {B})})\) and \(\mathsf {sp}=(h, h^{\pi _1(\mathbf {Z})}, h^{\pi _1(\mathbf {W}^\top _1 \mathbf {Z})},\ldots ,g^{\pi _1(\mathbf {W}^\top _{2\ell } \mathbf {Z})}).\)

\(\mathsf {Gen}(\mathsf {pp},\mathsf {sp}):\) It picks \(\varvec{\alpha }\overset{_\$}{\leftarrow } \mathbb {Z}_{p}^{4\times 1}\) and outputs \(\mathsf {mpk}= (\mathsf {pp},e(g,h)^{\varvec{\alpha }^\top \pi _1(\mathbf {B})} )\) and \(\mathsf {msk}= (\varvec{\alpha }, \mathsf {sp})\).

\(\mathsf {Ext}(\mathsf {msk}, \mathsf {mpk}, \mathsf {ID}):\) It first sets \(S = \{2i  \mathsf {ID}_{i}  i\in [\ell ] \}\) where \(\mathsf {ID}_i \in \{ 0,1 \}\) is the ith bit of \(\mathsf {ID}\in \{ 0,1 \}^\ell \). Then it picks random \(\mathbf {r}\overset{_\$}{\leftarrow } \mathbb {Z}_p^{2\times 1}\) and returns \(\mathsf {sk}_{\mathsf {ID}}=(K_1=h^{ \varvec{\alpha }+ \sum _{i\in S} \pi _1(\mathbf {W}_i^\top \mathbf {Z}) \mathbf {r}},~K_2=h^{ \pi _1(\mathbf {Z}) \mathbf {r}}).\)

\(\mathsf {Enc}(\mathsf {mpk}, \mathsf {ID}, \mathsf {M}):\) It first sets \(S = \{2i  \mathsf {ID}_{i}  i\in [\ell ] \}\). Then it picks random \(\mathbf {s}\overset{_\$}{\leftarrow } \mathbb {Z}_p^{2\times 1} \) and returns \(\mathsf {CT}=(C_1=g^{ \pi _1(\mathbf {B}) \mathbf {s}},~ C_2= g^{ \sum _{i\in S} \pi _1(\mathbf {W}_i \mathbf {B}) \mathbf {s}},~ C_3 = e(g,h)^{\varvec{\alpha }^\top \pi _1(\mathbf {B}) \mathbf {s}}\cdot \mathsf {M}).\)

\( \mathsf {Dec}(\mathsf {sk}_{\mathsf {ID}}, \mathsf {CT}):\) It parses the ciphertext \(\mathsf {CT}\) as \(\mathsf {CT}\rightarrow (C_1, C_2, C_3)\), and computes \(e(C_1,K_1)e(C_2,K_2)=e(g,h )^{\varvec{\alpha }^\top \pi _1(\mathbf {B})\mathbf {s}}\). Then, it recovers the message by \(C_3/e(g,h )^{\varvec{\alpha }^\top \pi _1(\mathbf {B})\mathbf {s}} = \mathsf {M}\).
Security. We can prove \((1,Q_c,Q_k)\)anonymity of \(\mathsf {\Phi }_\mathsf {anon}\) under the DLIN assumption (single instance case). The reduction cost is \(O(\ell )\), which is independent from \(Q_c\) and \(Q_k\). While we think that it is not difficult to extend the result to the multiinstance setting, we do not treat it in this paper.
8 Application to CCA Secure Public Key Encryption
Here, we discuss that our IBE schemes with almost tight security reduction in the multiinstance and multichallenge setting yield almost tightly CCA secure PKE in the same setting via simple modification of CanettiHaleviKatz (CHK) transformation [15]. The difference from the ordinary CHK transformation is that we use (tightly secure) Qfold onetime signature introduced and constructed in [30]. Another difference is that we need a restriction on the original IBE scheme. That is, we require that the key generation algorithm \(\mathsf {Gen}\) of the IBE scheme does not output any secret parameter. Namely, \(\mathsf {sp}=\bot \). Roughly speaking, this is needed since the syntax of the PKE does not allow key generation algorithm to take any secret parameter. Note that this condition is satisfied by all of our constructions except for that in Sect. 7.
By applying the above conversion to \(\mathsf {\Phi }^{\mathsf {prime}}_{\mathsf {slp}}\) and \(\mathsf {\Phi }^{\mathsf {prime}}_{\mathsf {cc}}\), we obtain new PKE schemes that we call \(\mathsf {\Psi }^{\mathsf {prime}}_{\mathsf {slp}}\) and \(\mathsf {\Psi }^{\mathsf {prime}}_{\mathsf {cc}}\). The former allows flexible tradeoff between the size of public parameters and ciphertexts. The latter achieves very short ciphertextsize: The ciphertext overhead of our scheme only consists of 10 group elements and 2 elements in \(\mathbb {Z}_p\). This significantly improves previous results [1, 27, 30, 33, 34] on PKE scheme with the same security guarantee in terms of the ciphertextsize. Note that stateoftheart construction by [27, 34] require 47 and 59 group elements of ciphertext overhead, respectively. Namely, ciphertext overhead of our scheme is (at least) \(74\,\%\) shorter, compared to theirs. On the other hand, the size of public parameter of the scheme in [27] is much shorter than ours (and those of [33, 34]). The former only requires 17 group elements, but the latter requires many more.
The reason why we can achieve very short ciphertext size is that our strategy to obtain PKE scheme is quite different from other works. Roughly speaking, all of the previous constructions [1, 27, 30, 33, 34] follow the template established by Hofheinz and Jager [30]. They first construct (almost) tightlysecure signature. Then, they use the signature to construct (almost) tightlysecure unbounded simulation sound (quasiadaptive) NIZK. Finally, they follow the NaorYung paradigm [41] and convert the CPAsecure PKE with tight security reduction [12]into CCAsecure one using the NIZK. On the other hand, our construction is much more direct and simpler. Our conversion only requires very small amount of overhead in public parameters and ciphertexts.
Footnotes
 1.
In fact, we also require the decisional bilinear DiffieHellman (DBDH) assumption on the compositeorder groups (Problem 5) in addition to the subgroup decision assumptions. However, the assumption does not use the power of compositeorder groups. In other words, it does not imply the factoring assumption. Therefore, it is ready to be converted into primeorder.
 2.
In the actual scheme, \(\mathsf {sk}_\mathsf {ID}\) is randomized by elements of \(\mathbb {G}_{p_3}\), but we do not care about this point in this overview.
 3.
Of course, in symmetric bilinear groups, the DDH assumption does not hold. They considered a DDH assumption on \(\mathbb {G}_{p_2}\) where each term is perturbed by a random element in \(\mathbb {G}_{p_3}\), which prevents trivial attack against the assumption.
 4.
Here, we use CMH to stand for “computationalmasterkey hiding” (for broadcast encoding), while in [4], CMH refers to “coselective masterkey hiding” (for pair encoding). We hope that this should not be confusing, since our notion of 1CMH security is in fact almost the same as the notion of coselective masterkey hiding security (for broadcast predicate) anyway.
 5.
They showed a construction that is secure under the kLIN assumption for any k, using \(2k\times 2k\) matrices. When \(k=2\), the scheme is secure under the DLIN assumption.
Notes
Acknowledgement
We thank the members of ShinAkaruiAngoBenkyoKai for valuable comments. We also thank anonymous reviewers for their constructive comments.
References
 1.Abe, M., David, B., Kohlweiss, M., Nishimaki, R., Ohkubo, M.: Tagged onetime signatures: tight security and optimal tag size. In: Kurosawa, K., Hanaoka, G. (eds.) PKC 2013. LNCS, vol. 7778, pp. 312–331. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 2.Agrawal, S., Chase, M.: A study of Pair Encodings: Predicate Encryption in prime order groups. IACR Cryptology ePrint Archive, Report 2015/390Google Scholar
 3.Attrapadung, N.: Dual System Encryption Framework in PrimeOrder Groups. IACR Cryptology ePrint Archive, Report 2015/390Google Scholar
 4.Attrapadung, N.: Dual system encryption via doubly selective security: framework, fully secure functional encryption for regular languages, and more. In: Nguyen, P.Q., Oswald, E. (eds.) EUROCRYPT 2014. LNCS, vol. 8441, pp. 557–577. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 5.Attrapadung, N., Furukawa, J., Gomi, T., Hanaoka, G., Imai, H., Zhang, R.: Efficient identitybased encryption with tight security reduction. In: Pointcheval, D., Mu, Y., Chen, K. (eds.) CANS 2006. LNCS, vol. 4301, pp. 19–36. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 6.Attrapadung, N., Hanaoka, G., Yamada, S.: A framework for identitybased encryption with almost tight security. IACR Cryptology ePrint Archive 2015:566 (2015)Google Scholar
 7.Bellare, M., Boldyreva, A., Micali, S.: Publickey encryption in a multiuser setting: security proofs and improvements. In: Preneel, B. (ed.) EUROCRYPT 2000. LNCS, vol. 1807, pp. 259–274. Springer, Heidelberg (2000) CrossRefGoogle Scholar
 8.Bellare, M., Ristenpart, T.: Simulation without the artificial abort: simplified proof and improved concrete security for waters’ IBE scheme. In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 407–424. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 9.Blazy, O., Kiltz, E., Pan, J.: (Hierarchical) Identitybased encryption from affine message authentication. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 408–425. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 10.Boneh, D., Boyen, X.: Efficient selectiveID secure identitybased encryption without random oracles. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 223–238. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 11.Boneh, D., Boyen, X.: Secure identity based encryption without random oracles. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 443–459. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 12.Boneh, D., Boyen, X., Shacham, H.: Short group signatures. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 41–55. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 13.Boneh, D., Franklin, M.: Identitybased encryption from the weil pairing. In: Kilian, J. (ed.) CRYPTO 2001. LNCS, vol. 2139, pp. 213–229. Springer, Heidelberg (2001) CrossRefGoogle Scholar
 14.Canetti, R., Halevi, S., Katz, J.: A forwardsecure publickey encryption scheme. In: Biham, E. (ed.) EUROCRYPT 2003. LNCS, vol. 2656, pp. 255–271. Springer, Heidelberg (2003) CrossRefGoogle Scholar
 15.Canetti, R., Halevi, S., Katz, J.: Chosenciphertext security from identitybased encryption. In: Cachin, C., Camenisch, J.L. (eds.) EUROCRYPT 2004. LNCS, vol. 3027, pp. 207–222. Springer, Heidelberg (2004) CrossRefGoogle Scholar
 16.Chen, J., Gay, R., Wee, H.: Improved dual system ABE in primeorder groups via predicate encodings. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 595–624. Springer, Heidelberg (2015) Google Scholar
 17.Chen, J., Wee, H.: Fully, (almost) tightly secure IBE from standard assumptions. IACR Cryptology ePrint Archive, Report 2013/803Google Scholar
 18.Chen, J., Wee, H.: Dual system groups and its applications  compact HIBE and more. IACR Cryptology ePrint Archive, Report 2014/265Google Scholar
 19.Chen, J., Wee, H.: Fully, (Almost) Tightly Secure IBE and Dual System Groups. CRYPTO,pp. 435–460 (2013). A merge of two papers [19, 20]Google Scholar
 20.Cocks, C.: An identity based encryption scheme based on quadratic residues. In: Honary, B. (ed.) Cryptography and Coding 2001. LNCS, vol. 2260, pp. 360–363. Springer, Heidelberg (2001) CrossRefGoogle Scholar
 21.Cramer, R., Shoup, V.: A practical public key cryptosystem provably secure against adaptive chosen ciphertext attack. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 13–25. Springer, Heidelberg (1998) CrossRefGoogle Scholar
 22.Escala, A., Herold, G., Kiltz, E., Ràfols, C., Villar, J.: An algebraic framework for diffiehellman assumptions. In: Canetti, R., Garay, J.A. (eds.) CRYPTO 2013, Part II. LNCS, vol. 8043, pp. 129–147. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 23.Freeman, D.M.: Converting pairingbased cryptosystems from compositeorder groups to primeorder groups. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 44–61. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 24.Gentry, C.: Practical identitybased encryption without random oracles. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 445–464. Springer, Heidelberg (2006) CrossRefGoogle Scholar
 25.Gentry, C., Waters, B.: Adaptive security in broadcast encryption systems (with short ciphertexts). In: Joux, A. (ed.) EUROCRYPT 2009. LNCS, vol. 5479, pp. 171–188. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 26.Herold, G., Hesse, J., Hofheinz, D., Ràfols, C., Rupp, A.: Polynomial spaces: a new framework for compositetoprimeorder transformations. In: Garay, J.A., Gennaro, R. (eds.) CRYPTO 2014, Part I. LNCS, vol. 8616, pp. 261–279. Springer, Heidelberg (2014) CrossRefGoogle Scholar
 27.Hofheinz, D.: Algebraic partitioning: fully compact and (almost) tightly secure cryptography. IACR Cryptology ePrint Archive, Report 2015/499Google Scholar
 28.Hofheinz, D., Kiltz, E.: Secure hybrid encryption from weakened key encapsulation. In: Menezes, A. (ed.) CRYPTO 2007. LNCS, vol. 4622, pp. 553–571. Springer, Heidelberg (2007) CrossRefGoogle Scholar
 29.Hofheinz, D., Kiltz, E.: Programmable hash functions and their applications. In: Wagner, D. (ed.) CRYPTO 2008. LNCS, vol. 5157, pp. 21–38. Springer, Heidelberg (2008) CrossRefGoogle Scholar
 30.Hofheinz, D., Jager, T.: Tightly secure signatures and publickey encryption. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 590–607. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 31.Hofheinz, D., Koch, J., Striecks, C.: Identitybased encryption with (almost) tight security in the multiinstance, multiciphertext setting. In: Katz, J. (ed.) PKC 2015. LNCS, vol. 9020, pp. 799–822. Springer, Heidelberg (2015) Google Scholar
 32.Jutla, C.S., Roy, A.: Shorter quasiadaptive NIZK proofs for linear subspaces. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part I. LNCS, vol. 8269, pp. 1–20. Springer, Heidelberg (2013) CrossRefGoogle Scholar
 33.Libert, B., Joye, M., Yung, M., Peters, T.: Concise multichallenge CCAsecure encryption and signatures with almost tight security. In: Sarkar, P., Iwata, T. (eds.) ASIACRYPT 2014, Part II. LNCS, vol. 8874, pp. 1–21. Springer, Heidelberg (2014) Google Scholar
 34.Libert, B., Joye, M., Yung, M., Peters, T.: Compactly Hiding Linear Spans: Tightly Secure ConstantSize SimulationSound QANIZK Proofs and Applications. IACR Cryptology ePrint Archive, Report 2015/242Google Scholar
 35.Lewko, A.: Tools for simulating features of composite order bilinear groups in the prime order setting. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 318–335. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 36.Lewko, A., Okamoto, T., Sahai, A., Takashima, K., Waters, B.: Fully secure functional encryption: attributebased encryption and (hierarchical) inner product encryption. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 62–91. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 37.Lewko, A., Waters, B.: New techniques for dual system encryption and fully secure hibe with short ciphertexts. In: Micciancio, D. (ed.) TCC 2010. LNCS, vol. 5978, pp. 455–479. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 38.Lewko, A., Waters, B.: Unbounded HIBE and attributebased encryption. In: Paterson, K.G. (ed.) EUROCRYPT 2011. LNCS, vol. 6632, pp. 547–567. Springer, Heidelberg (2011) CrossRefGoogle Scholar
 39.Lewko, A., Waters, B.: New proof methods for attributebased encryption: achieving full security through selective techniques. In: SafaviNaini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 180–198. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 40.Naor, M., Reingold, O.: Numbertheoretic constructions of efficient pseudorandom functions. J. ACM 51(2), 231–262 (2004)MathSciNetCrossRefzbMATHGoogle Scholar
 41.Naor, M., Yung, M.: Publickey cryptosystems provably secure against chosen ciphertext attacks. In: STOC, pp. 427–437 (1990)Google Scholar
 42.Okamoto, T., Takashima, K.: Fully secure functional encryption with general relations from the decisional linear assumption. In: Rabin, T. (ed.) CRYPTO 2010. LNCS, vol. 6223, pp. 191–208. Springer, Heidelberg (2010) CrossRefGoogle Scholar
 43.Okamoto, T., Takashima, K.: Fully secure unbounded innerproduct and attributebased encryption. In: Wang, X., Sako, K. (eds.) ASIACRYPT 2012. LNCS, vol. 7658, pp. 349–366. Springer, Heidelberg (2012) CrossRefGoogle Scholar
 44.Rouselakis, Y., Waters, B.: Practical constructions and new proof methods for large universe attributebased encryption. In: ACMCCS, pp. 463–474 (2013)Google Scholar
 45.Sakai, R., Ohgishi, K., Kasahara, M.: Cryptosystems based on pairing over elliptic curve. In: The 2001 Symposium on Cryptography and Information Security (2001). (in Japanese)Google Scholar
 46.Shacham, H.: A CramerShoup encryption scheme from the linear assumption and from progressively weaker linear variants, IACR Cryptology ePrint Archive, Report 2007/074Google Scholar
 47.Shamir, A.: Identitybased cryptosystems and signature schemes. In: Blakely, G.R., Chaum, D. (eds.) CRYPTO 1984. LNCS, vol. 196, pp. 47–53. Springer, Heidelberg (1985) Google Scholar
 48.Waters, B.: Efficient identitybased encryption without random oracles. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 114–127. Springer, Heidelberg (2005) CrossRefGoogle Scholar
 49.Waters, B.: Dual system encryption: realizing fully secure IBE and HIBE under simple assumptions. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 619–636. Springer, Heidelberg (2009) CrossRefGoogle Scholar
 50.Wee, H.: Dual system encryption via predicate encodings. In: Lindell, Y. (ed.) TCC 2014. LNCS, vol. 8349, pp. 616–637. Springer, Heidelberg (2014) CrossRefGoogle Scholar