Tightly Secure Hierarchical Identity-Based Encryption

We construct the first tightly secure hierarchical identity-based encryption (HIBE) scheme based on standard assumptions, which solves an open problem from Blazy, Kiltz, and Pan (CRYPTO 2014). At the core of our constructions is a novel randomization technique that enables us to randomize user secret keys for identities with flexible length. The security reductions of previous HIBEs lose at least a factor of Q, which is the number of user secret key queries. Different to that, the security loss of our schemes is only dependent on the security parameter. Our schemes are adaptively secure based on the Matrix Diffie-Hellman assumption, which is a generalization of standard Diffie-Hellman assumptions such as k-Linear. We have two tightly secure constructions, one with constant ciphertext size, and the other with tighter security at the cost of linear ciphertext size. Among other things, our schemes imply the first tightly secure identity-based signature scheme by a variant of the Naor transformation.


Motivation
Tight security. Reductions are useful tools for proving the security of publickey cryptographic schemes. Asymptotically, a reduction shows that if there is an efficient adversary A that breaks the security of a scheme then we can have another adversary R that solves the underlying computationally hard problem. Concretely, a reduction provides a security bound for the scheme, ε A ≤ ·ε R , 1 where ε A is the success probability of A and ε R is that of R. Ideally, it is more desirable to have as small as a constant. We say a reduction is tight if is a small constant and the running time of A is approximately the same as that of R. Most of the current works have considered the tightness notion called "almost tight security", where may linearly (or, even better, logarithmically) depend on the security parameter, but not on the size of A. 2 Recently, tightly secure cryptographic schemes drew a large amount of attention (e.g. [18,8,3,11,16,1,12,17]), since tightly secure schemes do not need to compensate for any security loss.
(Hierarchical) identity-based encryption. The concept of identity-based encryption (IBE) was proposed by Shamir [31] to simplify the management of public keys and certificates. With an IBE scheme, one can encrypt a message under a recipient's identity id (for instance, email address or ID card number), and this encrypted message can be decrypted with user id's secret key from a trusted authority. The first constructions of IBE were given in 2001 [4,9,30] in the random oracle model.
A hierarchical IBE (HIBE) scheme [22,14] generalizes the concept of IBE and provides more functionality by forming levels of a hierarchy. In an L-level HIBE, a hierarchical identity is a vector of maximal L identities, and a user at level i can delegate a secret key for its descendants at level i (where i < i ≤ L). Moreover, a user at level i is not supposed to decrypt any encryption from a recipient which is not amongst its descendants. HIBE schemes not only are more general than IBE schemes (for instance, an IBE is simply a 1-level HIBE), but also provide numerous applications. Most famous ones are CCA-secure IBEs [5] and identity-based signatures [24] from HIBE. Both implications are tight.
Adaptive security is a widely accepted security notion for (H)IBEs, where an adversary is allow to adaptively choose a challenge identity id * after it sees the (master) public key and Q-many user secret keys for adversarial chosen identities. To achieve adaptive security in the standard model, the early IBE constructions require either non-tight reductions to the hardness of the underlying assumptions [33,7,27,23], or Q-type, non-static assumptions [13].
In 2013, Chen and Wee constructed the first tightly secure IBE based on static assumptions in the standard model [8]. After that, several works have been done to improve its efficiency and achieve stronger security [3,21,16,19]. However, constructing an L-level HIBE for L > 1 with a tight (i.e., independent of Q) security reduction to a standard assumption remains open.
HIBEs meet tightness: difficulties and the hope. Before analyzing the difficulties of achieving tightly secure HIBE, we consider the security loss of the current state-of-the-art HIBEs. The L-level HIBE from [33] has a relatively large security loss, Q L , which depends on both Q and L. Although the security loss of more recent HIBEs [32,27,8,3,15] does not depends on the number of maximal levels L, they are still not tight and lose a factor of Q.
In general, it is harder to construct HIBEs than IBEs, since HIBEs allow public delegation of user secret keys, given the corresponding ancestor's secret key. Hence, given a tightly secure IBE, there is no (tight) black-box transformation to HIBE. The works of Lewko and Waters [28] show the potential difficulty of constructing HIBE with tight reductions. More precisely, [28] proves that it is hard to have an HIBE scheme with security loss less than exponential in L, if the HIBE has rerandomizable user secret keys (over all "functional" user secret keys).
The first attempt of constructing tightly secure HIBEs is due to Blazy, Kiltz, and Pan (cf. the proceeding version and the first full version of [3]), where they tightly transform algebraic message authentication code (MAC) schemes to (H)IBE schemes. As long as the algebraic MAC has tight security, the resulting (H)IBE is tightly secure. The first version of their paper contains a tightly secure delegatable MAC, which results in a tightly secure HIBE. The resulting HIBE has bypassed the impossibility result of [28] and their user secret keys are only rerandomizable over all keys generated by the user secret key generation algorithm, which is only a subspace of all "functional" keys. However, shortly after its publication, a flaw was found in a proof step of the delegatable MAC, and they remove this tightly secure delegatable MAC from their paper. The flaw is basically due to the fact that the BKP randomization technique failed to randomize MAC tags (which is an important part of user secret keys) for hierarchical identities.
The hope of achieving tight security for HIBEs lies in developing a novel method that enables randomization of user secret keys for identities with flexible level.

Our contributions
We answer the aforementioned open question affirmatively with two tightly secure hierarchical identity-based encryption schemes with identity space ID := ({0, 1} α ) ≤L : One with constant ciphertext size (in terms of the number of group elements) and O(αL 2 ) security loss, and the other with ciphertext size linear in L but O(αL) security loss. Both schemes are the first tightly secure HIBEs. We compare our schemes with the existing HIBE schemes in prime-order pairing groups in Table 1.
Furthermore, via the known tight transformations from [24] and [5], our HIBEs imply the first tightly secure identity-based signature and tightly CCA-secure HIBEs almost for free. We note that an (L + 1)-level HIBE tightly implies an L-level CCA-secure HIBE via the CHK transformation [5] in the single-challenge setting.
Core idea. In a nutshell, the technical novelty of our constructions is a new randomization technique that enables us to randomize user secret keys with flexible identity length. This technique is motivated by the recent tightly CCAsecure public-key encryption of Gay et al. [11].
At the core of our constructions lie two new pseudorandom message authentication code (MAC) schemes for messages with flexible length. Their pseudorandomness can be proven with tight reductions to the Matrix Decisional Diffie-Hellman (MDDH) assumption [10]. The MDDH assumption is a generalization of the known standard Diffie-Hellman assumptions, such as the k-linear (k-LIN) assumption. Our MAC schemes have algebraic structures compatible with the BKP transformation. In the end, together with a variant of the BKP frame- work [3], we can tightly randomize user secret keys with hierarchical identities and we have tightly secure HIBEs.
A closer look at the BKP framework. The BKP framework proposes the notion of affine MACs and transforms it to an (H)IBE scheme with pairings. Their transformation is tightness-preserving. Under the MDDH assumption, if the affine MAC is tightly secure, then the (H)IBE is also tightly secure. It is worth mentioning that the BKP transformation and its variants are widely used in constructing identity-based encryption [19] with multi-challenge CCA security, predicate encryption [34,6], quasi-adaptive NIZK [26], and structure-preserving signature [25,12] based on standard, static assumptions. We recall their tightly secure MAC, MAC NR , based on the Naor-Reingold pseudorandom function [29], which is implicitly in the Chen-Wee (CW) IBE [8] as well. MAC NR is defined over an additive prime-order group G 2 := P 2 and its message space is corresponding to the identity space of the resulting IBE. We use the implicit notation [x] 2 := xP 2 from [10]. MAC NR chooses B ∈ Z (k+1)×k q according to the underlying assumption. For message space M := {0, 1} α , its secret key is defined as and its MAC tag contains a message-independent vector [t] 2 and a messagedependent value [u] 2 in the form of where B denotes the first k rows of B. The BKP transformation requires the MAC scheme has psedorandomness against chosen-message attacks (PR-CMA security), which is a decisional variant of the standard existential unforgeability against chosen-message attacks (EUF-CMA security). In order to provide a simpler and more intuitive discussion, we consider the standard EUF-CMA security of MAC NR , where an adversary A is allowed to see many MAC tags τ m := ([t m ] 2 , [u m ] 2 ) on messages m of its choice and tries to forge a fresh and valid forgery (m * , τ * ) which satisfies Equation (1). Following the CW argument [8], by a hybrid argument on the bit length of m, one can show that the value [u] 2 is pseudorandom such that it is hard for an adversary to forge. By embedding the problem challenge in t and x i+1,1−b , the CW argument can manage to develop the following random function RF i+1 for (i + 1)-bit messages from a random function RF i for i-bit messages on-the-fly: where b is the guess for the (i + 1)-th bit of m * and m |i is the first i bits of m.
Such an argument works well if messages have fixed length. For messages m with fixed length, an adversary can see the output of either RF i (in Hybrid i) or RF i+1 (in Hybrid i + 1), but not both. However, that is not the case for messages m with flexible length. Concretely, identities for HIBEs are messages with flexible level. If we follow the CW and BKP arguments, we first need to develop a random function at the 2-level based on that at the 1-level. The critical case happens when we switch from Hybrid α (the end of randomization at the 1-level) to Hybrid α + 1 (the beginning of randomization at the 2-level). If we define RF α+1 (with message space {0, 1} α ∪ {0, 1} α+1 ) via Equation (2) based on random functions RF α , RF α (with message space {0, 1} α ), then we have RF α+1 (m) = RF α+1 (m||b) for a m ∈ {0, 1} α and that means the resulting RF α+1 is not a random function for messages with flexible level.

Our approach: independent randomization
To circumvent the aforementioned problem, we propose a suitable pseudorandom MAC, which isolates the tag randomization for messages with different levels. Our strategy is to randomize tags for messages with only one level first, and then for those with two levels, and so on. By a novel use of the recent subspace randomization refined from [11], tags for messages with different levels are randomized independently.
Affine MACs with levels. We consider a new notion of affine MACs, called affine MACs with levels, and we give two constructions of it. This new notion considers messages with flexible levels and enable us to develop independent random functions RF α for messages with only one level (i.e., in {0, 1} α ), and RF 2·α for messages with only two levels (i.e., in {0, 1} 2α ), and so on. For simplicity, we present an overview of our technique in terms of 2-level HIBEs (L = 2), namely, the hierarchical identity space ID := ({0, 1} α ) ≤2 . We denote 1-level messages as m ∈ {0, 1} α and 2-level messages as m ∈ {0, 1} α·2 .
Our first MAC construction MAC 1 's secret keys have the form of Value u in the MAC tags for m ∈ {0, 1} α and m ∈ {0, 1} 2α has the form of By a similar argument as in the BKP we can randomize all the u m for 1-level messages m and, after the first level messages randomization, u m has the form namely, we replace x 0 with RF α (m), but this affects the u m for 2-level messages m as well. More precisely, u m carries the random function RF α and has the form If we continue to randomize u m , we will run into the exact same problem as in the CW or BKP randomization. Motivated by [11], we hide RF α in some orthogonal space. By switching t into the "right" span, RF α appears in u m , but gets canceled in u m . Concretely, We embed the random function RF α into the kernel of B and u y (y ∈ {m, m }) has the form where "∼" denotes corresponding summation terms. During the randomization for 1-level messages, if we choose t ∈ Span(B) := v | ∃s ∈ Z k q : v = Bs for 2-level messages m , then RF α will get canceled out; and if we choose t / ∈ Span(B) for 1-level messages m, then RF α will appear and u m gets randomized. After the randomization for 1-level messages, u m for 2-level messages m is distributed the same as in Equation (3) so that we can start 2-level randomization from a constant random function RF 0 ( ) multiplying with (B ⊥ ) , where denotes the empty string.
The way of developing RF α (or RF 2·α , respectively) from RF 0 (or RF 0 , respectively) is similar to [11]. Roughly, we choose two random matrices q . An overview of the orthogonal relations between all these matrices is given in Figure 1. After the decomposition of linear spaces, . By using the MDDH assumption, we can switch [t] 2 to the right span and develop In order to have public delegation, the user secret keys at level 1 contain delegation terms [x j,b t] 2 . Since our randomization at different levels are isolated, the published terms will not affect our randomization strategy. Details are given in Section 3.1. In the end, our security reduction loses a factor of O(αL 2 ) due to L-many randomization loops and the fact that in each loop a additional factor of O(αL) is required. Applying a variant of the BKP transformation (cf. Section 4), we obtain the first HIBE scheme with tight security.
Achieving tighter security. Our second MAC construction (MAC 2 in Section 3.2) parallelizes the above randomization strategy and it has a scheme with security loss O(αL). The cost of doing this is to have different t i at different level for a message with L levels, which results in an HIBE with O(L)-size ciphertext via the BKP transformation.

More related work and open problems
Bader et al. [2] use some idea from the BKP HIBE to construct digital signature schemes with corruptions, but it does not involve any randomization for messages with flexible length, and thus it does not have the same issue as the BKP.
Very recently, Hofheinz, Jia, and Pan [19] extend the BKP construction with the information-theoretical Cramer-Shoup-like argument of [11] to answer multiple challenge ciphertext queries for IBE. However, we do not know whether their technique and a similar one from [16] can work directly here to construct tightly multi-challenge secure HIBE. We leave achieving tight multi-challenge security for HIBEs as an open problem. Another interesting direction is to improve the efficiency of our schemes.

Preliminaries
Notations. We use x $ ← S to denote the process of sampling an element x from S uniformly at random if S is a set. For positive integers k > 1, η ∈ Z + and a matrix A ∈ Z (k+η)×k q , we denote the upper square matrix of A by A ∈ Z k×k q and the lower η rows of A by A ∈ Z η×k q . Similarly, for a column vector v ∈ Z k+η q , we denote the upper k elements by v ∈ Z k q and the lower η elements of v by v ∈ Z η q . For a string m ∈ Σ n , m i denotes the i-th component of m (1 ≤ i ≤ n) and m |i denotes the prefix of length i of m.
Furthermore for a p-tuple of bit strings m ∈ ({0, 1} n ) p , we use m to denote the string m 1 || . . . ||m p . Thus for 1 ≤ i ≤ np m i denotes the i-th bit of m 1 || . . . ||m p and m |i denotes the i-bit-long prefix of m 1 || . . . ||m p .
All our algorithms are probabilistic polynomial time unless we stated otherwise. If A is an algorithm, then we write a $ ← A(b) to denote the random variable that outputted by A on input b.
Games. Following [3], we use code-based games to define and prove security. A game G contains procedures Init and Finalize, and some additional procedures P 1 , . . . , P n , which are defined in pseudo-code. Initially all variables in a game are undefined (denoted by ⊥), all sets are empty (denote by ∅), and all partial maps (denoted by f : A B) are totally undefined. An adversary A is executed in game G (denote by G A ) if it first calls Init, obtaining its output. Next, it may make arbitrary queries to P i (according to their specification), again obtaining their output. Finally, it makes one single call to Finalize(·) and stops. We use G A ⇒ d to denote that G outputs d after interacting with A, and d is the output of Finalize.

Pairing groups and matrix Diffie-Hellman assumptions
Let GGen be a probabilistic polynomial time (PPT) algorithm that on input 1 λ returns a description G := (G 1 , G 2 , G T , q, P 1 , P 2 , e) of asymmetric pairing groups where G 1 , G 2 , G T are cyclic groups of order q for a λ-bit prime q, P 1 and P 2 are generators of G 1 and G 2 , respectively, and e : G 1 × G 2 is an efficient computable (non-degenerated) bilinear map. Define P T := e(P 1 , P 2 ), which is a generator in G T . In this paper, we only consider Type III pairings, where G 1 = G 2 and there is no efficient homomorphism between them. All our constructions can be easily instantiated with Type I pairings by setting G 1 = G 2 and defining the dimension k to be greater than 1.
We use implicit representation of group elements as in [10]. For s ∈ {1, 2, T } and a ∈ Z q define [a] s = aP s ∈ G s as the implicit representation of a in Next we recall the definition of the matrix Diffie-Hellman (MDDH) and related assumptions [10].
Without loss of generality, we assume the first k rows of A $ ← D ,k form an invertible matrix. The D ,k -matrix Diffie-Hellman problem is to distinguish the two distributions ( Definition 2 (D ,k -matrix Diffie-Hellman assumption). Let D ,k be a matrix distribution and s ∈ {1, 2, T }. We say that the D ,k -matrix Diffie-Hellman (D ,k -MDDH) assumption holds relative to GGen in group G s if for all PPT adversaries A, it holds that The uniform distribution is a particular matrix distribution that deserves special attention, as an adversary breaking the U ,k assumption can also distinguish between real MDDH tuples and random tuples for all other possible matrix distributions. For uniform distributions, they stated in [11] that U k -MDDH and U ,k -MDDH assumptions are equivalent.

[AW]) and ([A], [U]
). That is, the Q-fold D ,k -MDDH problem contains Q independent instances of the D ,k -MDDH problem (with the same A but different w i ). By a hybrid argument one can show that the two problems are equivalent, where the reduction loses a factor Q. The following lemma gives a tight reduction. For the uniform distribution U ,k , the security loss − k can be avoided by applying Lemma 3 to the U k distribution and then use Lemma 1 on each of the U k instances to get a U ,k instance.

Lemma 3 (Random self-reducibility [10]).
For > k and any matrix distribution D ,k , D ,k -MDDH is random self-reducible. In particular, for any Q ≥ 1 and any adversary A there exists a adversary B with , and T (A) ≈ T (B) + Q · poly(λ).

Hierarchical identity-based key encapsulation
We recall syntax and security of a hierarchical identity-based key encapsulation mechanism (HIBKEM). We only consider HIBKEM in this paper. By adapting the transformation for public-key encryption in [20] to the HIBE setting, one can easily prove that every HIBKEM can be transformed (tightly) into an HIBE scheme with a (one-time secure) symmetric cipher.
-The probabilistic key generation algorithm Gen(par) returns the (master) public/secret key and delegation key (pk, sk, dk). Note that for some of our constructions dk is empty. We assume that pk implicitly defines a hierarchical identity space ID = S ≤L , for some base identity set S, and a key space K, and ciphertext space C. In our HIBKEM definition we make the delegation key dk explicit to make our constructions more readable. We define indistinguishability (IND-HID-CPA) against adaptively chosen identity and plaintext attacks for a HIBKEM via games IND-HID-CPA real and IND-HID-CPA rand from Figure 2.

Affine MAC with levels
The core of our HIBE constructions is a Message Authentication Code with suitable algebraic structures and we call it affine MAC with levels. This is a generalization of the delegatable, affine MAC used in [3], namely, a delegatable, affine MAC is affine MAC with levels with (p) = 1 for all p ∈ {1, . . . L}. Security Model. As security model for affine MACs with levels we use HPR 0 -CMA-security as defined by the games in Figure 3. This is a generalization of the HPR 0 -CMA-security for delegatable, affine MACs defined in [3].

Our first construction
Let (G 2 , q, P 2 ) be a group of prime order q. Our first affine MAC with levels MAC 1 [U 3k,k ] := (Gen MAC , Tag, Ver MAC ) with message space ID := S ≤L := ({0, 1} α ) ≤L is defined in Figure 4. The identity vectors bit-length α and the maximum length L of the identity vectors can be chosen freely. 3 The resulting HIBE from this MAC has constant ciphertext length. Gen MAC (G2, q, P2): Proof. The proof uses a hybrid argument with the hybrids G 0 (the HPR 0 -CMA real game), G 1 , G 2,î,0 , G 2,î,1 , G 2,î,2,,0 -G 2,î,2,,3 , G 2,î,3 , G 2,î,4 , and G 2,î,5 forî ∈ {1, . . . , L} and ∈ {1, . . . ,îα}, and finally G 3 . The hybrids are given in Figure 5 and 6. A summary can be found in Table 2. They make use of random functions Span(B) uniform random 0 Statistically close Table 2. Summary of the hybrids of Figure 5 and 6. Eval queries with p =î draw t from the set described by the second column and add the randomness ru(m)t to u or choose u uniform random. The Chal query adds the term r h 0 (m ) to h0 if m has lengthî. The column "Transition" displays how we can switch to this hybrid from the previous one. The background colors indicate repeated transitions.

Lemma 4 (G
Proof. In game G 1 each time the adversary queries a tag for a message m where he queried a tag for m before, the adversary will get a rerandomized version of if m ∈ QM then return RerandomizeTag(K(m)) RerandomizeTag(τ ): the first tag he queried. The rerandomized tag is identically distributed to a fresh tag: t := t + Bs is uniformly random in Span(B), when s is uniform random iα j=1 x i,j, m j Bs we get a valid message tag for m, when ([t] 2 , [u] 2 ) is a valid tag for m.
Note that the rerandomization uses only the "public key" returned by the Init-Oracle, so it could actually be carried out by the adversary herself. To put it in a nutshell, repeated Eval-queries for a message m will leak no information, that is not already leaked by the first Eval-query for m or by the "public key". 4 2,1,0 ).
Proof. These two games are equivalent.
Lemma 6 (G 2,î,0 G 2,î,1 ). For all adversaries A there exists an adversary B with Pr Proof. These two games are equivalent except that in Eval-queries with p =î the value t is chosen uniformly random from Span(B) in G 2,î,0 and uniformly random from Z 3k q in game G 2,î,1 . Since for all computed values it is enough to have [B] 2 instead of B, this leads to a straight forward reduction to the QLfold U 3k,k -MDDH assumption. Remember that by Lemma 1, the U 3k,k -MDDH assumption is equivalent to the U k -MDDH assumption.
The running time of B is dominated by the running time of A plus some (polynomial) overhead that is independent of T (A) for the group operations in each oracle query.
To achieve that, we first switch t for m +1 = 0 from a random vector in Z 3k is the i-th column vector of Z. Furthermore, in order to make sure that the column vectors of (B|B 0 |B 1 ) form a random basis of Z 3k q , the reduction B chooses B, B 1 $ ← U 3k,k such that (B|B 1 ) has rank 2k and (B|B 1 ) ⊥ b = 0 for all column vectors b of B 0 . We note that the latter one can be done over group G 2 by knowing B and B 1 over Z q .
Until now, if Z is uniform then B simulates the game G 2,î,2,,0 , else if Z is from Span(B 0 ) then B simulates the game G 2,î,2,,1 for messages with m +1 = 0. By using the same argument, we can switch t for m +1 = 1 from a random vector in Z 3k q to a random vector in Span(B|B 1 ). The running time of B is dominated by the running time of A plus some (polynomial) overhead that is independent of T (A) for the group operations in each oracle query.
Pr G A 2,î,2,,1 ⇒ 1 = Pr G A 2,î,2,,2 ⇒ 1 Proof. First of all, we replace in game G 2,î,2,,1 the term . This does not change the distribution, since B * 0 , B * 1 is a basis for Span B ⊥ . We define q is another independent random function. Since ı, does not appear in game G 2,î,2,,2 anymore, RF m |+1 (B * 0 ) t = 0. The Chal query uses the same code if p =î and otherwise it is distributed identically if m +1 = 0. For the case m +1 = 1 note that xî ,+1,1 is identically distributed as xî ,+1,1 + B * 0 w for w $ ← Z k q and w is hidden from the adversary except for the Chal query: In all Eval-queries with p =î only xî ,+1,1 B is used and thus the B * 0 -part cancels out. In the Eval-queries with p =î there is either m +1 = 0 which means that xî ,+1,1 is not used to compute the tag or there is m +1 = 1 which means that t ∈ Span(B|B 1 ) and thus the B * 0 -part of xî ,+1,1 cancels out. All in all this means that the value h 0 is the only one in the game that depends on w and thus the B * 0 -part of h 0 is uniformly random to the adversary. Especially h 0 is distributed identically in both games.
Proof. In game G 2,î,2,îα,3 the Chal-query evaluates RFî ,îα only for the input value m 1 || . . . ||m î (if p ≥î, otherwise it does not use RFî ,îα at all). Assume Prefix(m ) ∩ Q M = ∅, otherwise the adversary has lost the game anyway. In each user secret key query with p =î the value RFî ,îα (m) B ⊥ t is part of u. This is the only place where RFî ,îα (m) is used, since only the first Eval-query for each message evaluates the random function. Thus each query outputs a uniformly random value for u when t p / ∈ Span(B), which happens with probability ≥ 1 − 1/ q 2k . In this case the games are distributed identically.
Proof. These two games are equivalent.
Proof. In game G 2,L,5 the value x 0 is only used to compute h 1 , thus h 1 is a uniform random value to A and the games are distributed identical.
Summary. To prove Theorem 1 combine Lemmas 4-17 to change h 1 from real to random and then apply all Lemmas in reverse order to get to the HPR 0 -CMA rand game.

Our second construction
Let (G 2 , q, P 2 ) be a group of prime order q. Our second affine MAC with levels MAC 1 [U 3k,k ] := (Gen MAC , Tag, Ver MAC ) with message space ID := S ≤L := ({0, 1} α ) ≤L is defined in Figure 7. The identity vectors bit-length α and the maximum length L of the identity vectors can be chosen freely. The difference to the first construction is that this MAC uses a different t l on each level ( (p) = p) and thus needs no delegation keys. This leads to shorter user secret keys and allows a more efficient reduction. However, this comes at the price of larger ciphertexts. Formally, this MAC uses (l, i) = 0 for i < p and (l, i) = 2iα for i = p.
The arguments to switch between the hybrids are similar to the first construction. A detailed proof can be found in the full version. Table 3. Summary of the hybrids of Figure 8 and 9. Eval queries draw t from the set described by the second column and add the randomness

Transformation to HIBE
Any affine MAC with levels can be transformed tightly to a hierarchical identitybased key encapsulation mechanism (HIBKEM) under the D k -MDDH assumption. The transformation is shown in Figure 10. It is a generalization of the transformation from delegatable, affine MACs to HIBKEMs in [3]. We only consider HIBKEM here and one can easily prove that every HIBKEM can be transformed (tightly) into an HIBE scheme with a (one-time secure) symmetric cipher by adapting a similar transformation for public-key encryption in [20]. and T (B 1 ) + T (B 2 ) ≈ T (A) + Q · poly(λ).
The detailed proof of Theorem 3 can be found in the full version.

Instantiations
MDDH. The result of applying the HIBKEM transformation to MAC 1 [U 3k,k ] is shown in Figure 11. The scheme has α L 2 + L 4k 2 + k + 3k 2 + 2k group elements in the public key and 4k + 1 group elements in the ciphertext. The user secret keys have at most α L 2 /2 + L/2 − 1 (k + 1) + 4k + 1 group elements. Identities that are deeper in the hierarchy have smaller secret keys, since the user secret key size is dominated by the size of the delegation keys. On the last level, the user secret keys consist of only 4k + 1 keys. The result of applying the HIBKEM transformation to MAC 2 [U 3k,k ] is shown in Figure 12. The scheme has α L 2 + L 4k 2 + k + 3k 2 + 2k group elements in the public key and 3Lk + k + 1 group elements in the ciphertext. The user secret keys have at most 3Lk + k + 1 group elements. Identities that are deeper in the hierarchy have larger secret keys.
The schemes have both the same public key. The first scheme has smaller ciphertexts, while the second has a more efficient reduction and smaller user secret keys in the worst case.

SXDH.
With a type III pairing, both of our schemes can be instantiated with the SXDH assumption. The results can be found in the full version.    . 9. Hybrids for the transition from G 3, to G 3,+1 . The notion a += b is shorthand for a := a + b.