Tight Adaptively Secure Broadcast Encryption with Short Ciphertexts and Keys

Transcription

1 Tight Adatively Secure Broadcast Encrytion with Short Cihertexts and Keys Romain Gay ENS, Paris, France Lucas Kowalczyk Columbia University Hoeteck Wee ENS, Paris, France Abstract We resent a new ublic key broadcast encrytion scheme where both the cihertext and secret keys consist of a constant number of grou elements. Our result imroves uon the work of Boneh, Gentry and Waters (Cryto 05 as well as several recent follow-us (TCC 16-A, Asiacryt 16 in two ways: (i we achieve adative security instead of selective security, and (ii our construction relies on the decisional k-linear Assumtion in rime-order grous (as oosed to q-tye assumtions or subgrou decisional assumtions in comosite-order grous; our imrovements come at the cost of a larger ublic key. Finally, we show that our scheme achieves adative security in the multi-cihertext setting with a security loss that is indeendent of the number of challenge cihertexts. 1 Introduction Broadcast encrytion schemes [FN94] allow a sender to encryt messages to a set Γ [n] of authorized users such that any user in the set Γ can decryt, and no (ossibly colluding set of unauthorized users can learn anything about the laintext. Two key measures of efficiency for broadcast encrytion are the size of the secret keys and the cihertext overhead (beyond descrition of the reciient set and the symmetric encrytion of the message. The early contructions of broadcast encrytion schemes achieve cihertext overhead that grows with the number of either authorized or excluded users [NNL01, HS02, DF02, GST04]. The BGW Crytosystem. Ideally, we would like a broadcast encrytion scheme where the size of secret keys and cihertext overhead is indeendent of the number of users. This was first achieved in the break-through work of Boneh, Gentry and Waters [BGW05], which resented a broadcast encrytion scheme in bilinear grous where both the secret keys and cihertext overhead consist of a constant number of grou elements. In their scheme, the decrytion algorithm needs to know the ublic key, which is linear in the number of users. Suorted in art by a Google Fellowshi. Work done while visiting ENS, Paris. Suorted in art by the Defense Advanced Research Project Agency (DARPA and Army Research Office (ARO under Contract W911NF-15-C-0236; NSF grants CNS , CNS , and CCF ; and an NSF Graduate Research Fellowshi DGE Any oinions, findings, and conclusions or recommendations exressed are those of the authors and do not necessarily reflect the views of the Defense Advanced Research Projects Agency, Army Research Office, the National Science Foundation, or the U.S. Government. Suorted in art by ERC Project ascend (H

2 The BGW crytosystem has two main limitations, which is the focus of several follow-u works as well as our current one: First, the BGW scheme achieves selective security, where an adversary must declare a target set of unauthorized users with which it will attack the scheme before even seeing the system arameters. This restriction does not cature the ower of many kinds of attackers (for instance: an attacker might choose to corrut a user after seeing the ublic arameters, or in resonse to seeing secret keys for already corruted arties, so in ractice, we would refer to have schemes that satisfy the more general and stronger notion of adative security, which does not lace such restrictions on the adversary. Next, the BGW scheme relies on arameterized assumtions. Parameterized assumtions (a.k.a q-tye assumtions, while in some cases allowing for imrovements over the state-ofthe-art, are not articularly well understood. The assumtions are often closely related to the schemes which use them. For examle, the size of the assumtion often scales with the number of oracle queries that can be made in the security reduction. Furthermore, q-tye assumtions become stronger as q grows, with the time needed to recover the discrete logarithm and break the assumtion scaling inversely with q [Che06]. As a result, it is desirable to design systems that can be roven secure under static assumtions, like the decisional k-linear Assumtion in rime-order bilinear grous (k-lin. These limitations were fixed individually by the works of [GW09] and [Wee16, CMM16a] resectively (the latter in comosite-order grous, but imroving [BGW05] to achieve security that is both adative and based on a static assumtion has remained out of reach. 1.1 Our Results In this aer we resent the first broadcast encrytion scheme with constant key and cihertext overhead size that simultaneously overcomes both of the limitations above. Namely, we achieve adative security under a static assumtion (k-lin in rime-order bilinear grous. Our imrovements come at the cost of a larger ublic key that is quadratic instead of linear in the total number of users. We stress that rior to this work, it was not known how to achieve broadcast encrytion with any size ublic arameters, constant-sized keys and cihertext overhead, and even just selective security under a static assumtion in rime-order grous. As with the BGW crytosystem and the follow-u works in [Wee16, CMM16a], the decrytion algorithm in our scheme needs to know the ublic key in addition to the secret key. Considering the comlications that come with managing user secret keys, which have to be distributed individually and stored securely, we achieve a desirable ublic/rivate key size tradeoff that makes sense articularly in alications where decrytors have access to large shared ublic storage. We give an additional broadcast encrytion scheme with constant key and cihertext overhead size which is adatively-secure in the multi-challenge setting under static assumtions with a tight security reduction (where the security loss is indeendent of the number of challenge cihertexts. Tight security reductions, which have been studied reviously in the context of encrytion [BBM00, HJ12] and signatures [Cor00], are desirable when fixing concrete security arameters, since the security loss directly imacts the size of scheme elements. In the context of advanced encrytion schemes, tight constructions were only known for identity-based encrytion [CW13]. In this work, we give the first tightly secure broadcast encrytion scheme. Note that while our 2

3 security loss is indeendent of the number of challenge cihertexts, it remains roortional to n: the number of users in the system. In this work, we view n as being not too large since our ublic key contains O(n 2 grou elements, which would be imractical for very large n anyway. Thus, a security loss of a small constant times n is much more desirable than one that is roortional to the number of challenge cihertexts, which could be much larger for largely deloyed systems. 1.2 Related Work Previous broadcast encrytion schemes for n users that are secure in the standard model either carry the baggage of a (n/t, t-tradeoff in key/cihertext size, use a non-static assumtion (i.e q-tye assumtion, or are only secure in the weaker, selective security setting (see Figure 1. In fact, all known broadcast encrytion schemes that are adatively secure under a static assumtion and that use the Dual System Encrytion methodology [Att14, Wee14, CGW15, AC16] fall in the scoe of the lower bound of (n/t, t for the (cihertext overhead, secret key size roved in [GKW15]. We note that we are able to byass this lower bound by using the modified definition of broadcast encrytion roosed by [BGW05], where decrytion is allowed to take ublic arameters as inut in addition to the secret key, as exlained above. Reference ct sk k assumtion security Dec BGW05 [BGW05] O(1 O(1 O(n q-tye selective k GW09 [GW09] O(1 O(1 O(n q-tye adative k Wee16[Wee16], CMM16[CMM16b] O(1 O(1 O(n comosite selective k BW06 [BW06] O( n O( n O( n comosite adative GKSW10 [GKSW10] O( n O( n O(n 2-Lin adative Waters09 [Wat09] O(1 O(n O(n 2-Lin adative GKW15 [GKW15] O(n/t O(t O(n k-lin adative this work O(1 O(1 O(n 2 comosite adative k this work O(1 O(1 O(n 2 k-lin adative k Figure 1: Comarison amongst broadcast encrytion schemes in the standard model, where n denotes the number of users, ct, sk and k resectively denote the cihertext, secret key and ublic key size (i.e the number of grou elements or exonents of grou elements. The last column refers to whether or not the decrytion algorithm Dec requires the ublic key k as inut. Short keys and cihertext overhead have been accomlished in other schemes by moving outside the standard model: [GW09] gives a construction (different from the one deicted in Figure 1 which uses q-tye assumtions with adative security and constant key and cihertext overhead size, but in the random oracle model; [BWZ14] achieves adative security with olylogarithmic (in the number of users size ublic arameters, keys, and cihertext overhead, but is only roven secure in the multilinear generic grou model; and [BZ14] achieves adative security with linear size ublic arameters, constant size keys and cihertext overhead, but relies on strong assumtions, namely, indistinguishability obfuscation [BGI + 01]. Lastly, we note that while our constructions harness the ower of comutational assumtions to achieve their efficiency, the roblem of broadcast encrytion has been studied in the information-theoretic realm as well [Sv98, SSW00, GSW00, GSY99]. 3

4 1.3 Our Techniques We give a construction in the comosite-order setting which is secure under standard static decision assumtions to illustrate the main techniques, as well as a construction using rime-order bilinear grous which is secure under k-lin. Dual System Proof Methodology. We emloy the dual system roof methodology [Wat09] to achieve the adative security of our schemes. A dual system encrytion scheme is constructed so that an adversary cannot distinguish the distribution of normal keys (or cihertexts from secial semi-functional keys (or cihertexts. Semi-functional keys are caable of decryting normal cihertexts, but semi-functional keys cannot decryt a semi-functional cihertext. A tyical dual system roof consists of a hybrid where the first ste is constructing the challenge cihertext as a semi-functional cihertext. The hybrid then runs over each key requested by the adversary, relacing each requested key with a semi-functional key. At the end, only semifunctional keys are given to an adversary whose job is to break the security of a semi-functional cihertext. Due to the way semi-functional cihertexts and secret keys are constructed, it is tyically easy to argue the game s security at this oint (semi-functional secret keys cannot be used to decryt any semi-functional cihertexts, including the semi-functional challenge cihertext. Overview of the Construction Our constructions can be understood by starting with the Boneh-Gentry-Waters construction for broadcast encrytion [BGW05], which is selectively-secure under a (non-static q-tye assumtion. BGW s ublic arameters look like: k := (g γ, g α, g α2,..., g αn, h α, h α2,..., h αn, h αn+2,..., h α2n, e(g, h αn+1 where γ, α are random exonents in Z, and g, h resectively generate rime order grous G, H, where G = H =, and e : G H G T. The cihertext for a subset Γ [n] and the key for a user i [n] are given by: ct Γ := (g s, g (γ+ j Γ αj s, e(g, h sαn+1 M, sk i := h αn i+1 γ Decrytion works as follows. Note that a message M in a cihertext is hidden by an encasulation key e(g, h sαn+1. First, an authorized user of index i airs h αn i+1 from the ublic arameters with g (γ+ j Γ αj s from the cihertext to get the encasulation key hidden by a roduct of e(g, h s(n+1 i+j for j i Γ and e(g, h sαn i+1γ. The former can be removed by erforming judicious airings with elements from k and g s from the cihertext, and the latter can only by removed by comuting the airing of g s with the (authorized user s secret key sk i. The encasulation key can therefore be comuted and used to obtain the message M. The q-tye assumtion underlying BGW s security is enabled by the owers of α. These owers revent a straightforward dual-system roof of adative security from static assumtions. To obtain a construction based on static assumtions, we need to remove the owers of α in the scheme. Towards this goal, consider the substitutions: g αj g w j, h αn j+1 h r j, j [n] where w 1,..., w n, r 1,..., r n are chosen uniformly at random. Correctness of BGW scheme relies on the fact that {e(g αjs, h αn i+1 } i,j [n],j i 4

5 lies in a set of linear size, namely {e(g s, h α,..., e(g s, h αn, e(g s, h αn+2,..., e(g s, h α2n }. With our substitutions, the corresonding collection lies in a set {e(g s, h w jr i } i,j [n],j i of size O(n 2, and hence the corresonding blow-u in the size of the ublic key, which needs to additionally contain {h w jr i } i,j [n],i j. Finally, relacing the rime-order airing grou by an comosite-order asymmetric bilinear grou (G, H, G T where G = H = N = q, so as to use a subgrou membershi assumtion instead of the q-dbdh assumtion used in BGW, and relacing g g, h h, where g, h resectively generate G, H : rime order subgrous of grous G, H, we obtain our comositeorder scheme. Alternative Viewoint. As seen above, we can view our construction as a modification of the broadcast encrytion scheme from [BGW05] where we imrove the secret key/ublic key size trade-off. An alternative way to view our construction is to start from the broadcast encrytion scheme of Waters [Wat09], which can be roven adatively secure from static assumtions (using the dual system roof methodology and features constant size cihertext overhead, but linear size secret keys. We describe the construction using comosite-order asymmetric bilinear grous for simlicity: k := ( {g w j } j [n], e(g, h α ct Γ := ( g, s g s(u+ j / Γ w j, e(g, h sα M sk i := ( h r i, {h w jr i, h α+ur i } j [n], j i where s, u, α, w j, r i for i, j [n] are random exonents in Z N, and g, h resectively generate G, H : rime order subgrous of grous G, H, where G = H = N = q, and e : G H G T. Decrytion works as follows. Note that a message M in a cihertext is again hidden by an encasulation key e(g, h sα. To get the encasulation key e(g, h sα, decrytion airs g s with h α+ur i. To get rid of the extra term e(g, h sur i, it airs g s(u+ j / Γ w j from the cihertext together with h r i. Doing so, decrytion also gets many cross terms of the form e(g, h s j / Γ w jr i which can be stried away, airing g s with the aroriate h w jr i from the secret key. Note that these secret key elements are all available only when i Γ and the key is therefore authorized. To imrove this construction s linear-sized secret keys to constant-size, we re-comute the values {h r i, h w jr i } j [n],j i and include them in the ublic arameters instead of the secret key. Therefore, the secret key is reduced to the art that contains the encasulation key α. Note that this crucially takes advantage of our modified model of broadcast encrytion where decrytion is allowed to use elements from the ublic key as well as the secret key. Indeed, the main technical challenge in roving our schemes secure is to carry on the dualsystem roof when the values {h r i, h w jr i } j [n],j i are ublic for every i [n], and only a single grou element remains rivate. This is in contrast to the security roof of revious dual system schemes, such as [Wat09], where the values h r i, {h w jr i } j [n],j i are known to the adversary only for queried keys sk i. We solve it by carefully switching the h r i, {h w jr i } j [n],j i for each i [n] 5

6 one by one to semi-functional, thereby changing the distribution of the ublic arameters over the hybrid through the keys. Similar techniques are also found in the selectively secure broadcast encrytion of [Wee16, CMM16a], which removed the use of q-tye assumtions in [BGW05], using the Déjà Q aradigm introduced by [CM14]. Prime-Order Grous. The scheme we just described in two ways is based on comosite-order asymmetric bilinear grous. We give the scheme in detail in Section 3 and its roof in Section 4. For efficiency reasons [Gui13], schemes based on rime-order grous are referable in ractice. As such, we additionally rovide a translation of our comosite-order scheme to the rime-order setting in Section 5. Our construction uses a roof aradigm that can be seen as an otimization of known comosite to rime-order translation frameworks, such as [Fre10, OT08, OT09, Lew12, CGW15, Att15, AC16]. Roughly seaking, in these frameworks, a random grou element g s of a comosite order bilinear grou G is emulated by a vector of grou elements [As] 1, where s Z k, A Z (k+1 k is a k-lin matrix, and we use the bracket notation [a] i to denote the element gi a for i {1, 2, T } (for a rime order bilinear grou G 1 G 2 G T. Here, k deends on the k-lin assumtion used, i.e: k = 1 corresonds to the Symmetric External Diffie-Hellman Assumtion, or SXDH. The decision assumtion used to argue that g s gg s q s in comosite order grous is relaced by the k-lin assumtion: [As] 1 [u] 1, where A Z (k+1 k is a k-lin matrix, s R Z k, and u R Z k+1 is a uniformly random vector over Z k+1. Finally, each grou element g w i of the ublic arameters is maed to a (k + 1 (k + 1 matrix of grou elements. Our constructions emloy an otimization that uses ublic arameter matrices of size only (k + 1 k, thereby reducing the ublic arameters and the cihertext size by a factor of k + 1 (see Figure 2. This is done by relacing the information theoretic argument at the heart of the dual system encrytion methodology (used to switch secret keys to semi-functional secret keys with a comutational argument. Similar techniques are used in [CW14, BKP14, AC16]. In [CGW15]: w j W j Z (k+1 (k+1 s s Z k, r i r i Z k g s [s A ] 1, h r i [Br i ] 2 g w js [s A W j ] 1, h w jr i [W j Br i ] 2 In our work: w j W j Z (k+1 k s s Z k, r i r i Z k g s [s A ] 1, h r i [Br i ] 2 g w js [s A W j ] 1, h w jr i [W j Br i ] 2 Figure 2: A, B Z (k+1 k are k-lin matrices, B Z k k denotes the k uer rows of B. Tight security roof in the multi-challenge setting. The security definition of ublic key encrytion schemes tyically involves a game where there is only one challenge cihertext, since this imlies security of the scheme when multile challenge cihertexts are allowed to be 6

7 requested via a standard hybrid argument. However, using such an argument incurs a security loss that is roortional to the number of challenge cihertexts. This can be roblematic since real-life attacks might be erformed on many challenge cihertexts. In articular, for widely deloyed schemes, the number of challenge cihertexts can be as large as 2 20, or even A standard hybrid over the cihertexts in the latter case results in an increase in the size of the security arameter by 30 comared to the setting where the adversary receives only one challenge cihertext. For ellitic curve grous eligible to instantiate our scheme in which the SXDH assumtion is believed to hold, such an increase would translate to a 2 30 = 60 bit increase in the size of each grou element descrition. Thus, a tight security reduction allows for shorter grou element descritions and increased efficiency. Finally, note that the number of challenge cihertexts can be unknown during the setu hase, which means that a conservative estimate could assume it to be high during security arameter calculation, thereby resulting in needlessly large grou elements used in the scheme. Tight security reductions avoid this roblem by allowing the security arameter to be set in a way that is indeendent of the number of challenge cihertexts. To obtain a tightly secure construction, we slightly modify the rime-order scheme mentioned above, so as to allow a different roof strategy. The modification does not incur any increase in the cihertext size for the most efficient version of the scheme: when k = 1 and security holds under 1-Lin a.k.a. the SXDH assumtion. In general, the cihertext size in the tightly secure scheme increases by k 1 grou elements when security is based on k-lin. In the tight-security roof, we simultaneously switch all of the challenge cihertexts to semi-functional mode using the random self reducibility of the k-lin assumtion. Then, the high-level roof structure is similar to that of revious scheme: we erform a hybrid argument that switches each secret key one by one to a semi-functional version (note that the number of secret keys is uer bounded by n, so this hybrid argument only incurs a security loss that is roortional to n, the number of users. To switch the key sk l to semi-functional mode, we use entroy from the comonent [W 0 r l ] 2 in the key sk l to obtain a new random semi-functional comonent (the comonent γ l a. Doing so requires analysis of the entroy of W 0 leaked by the ublic key and the challenge cihertext(s. When there is only one challenge cihertext for some set of users Γ, the (non-tight roof crucially relies on the fact that l / Γ for the challenge Γ, as required by the security game definition and the fact that the adversary queried sk l. For the tight reduction, we have many challenges Γ i, so we must deal with otentially more information about W 0 leaked. In fact, this is not the case: the challenge cihertexts for all sets Γ i queried to EncO do not leak more information about W 0 than a single cihertext for the set i Γ i, which would be an allowed challenge query given the same set of user keys. This allows us to reduce to the argument for the single-cihertext case. 1.4 Discussion Prior to this work, it wasn t clear what the bottleneck was in imroving a broadcast encrytion scheme with constant size secret keys and cihertext overhead based on q-tye assumtions to being based only on static assumtions. More secifically, one might ask: What exactly is the use of q-tye assumtions in [BGW05] buying us? Our work clarifies that the main bottleneck is to get to linear-size ublic keys (and not constant-size secret keys or cihertext overhead. Indeed, as noted earlier, if you relace the r i, w i in the comosite-order scheme of Section 3 with owers of α (r i = α i, w i = α n i+1, we can comress the ublic arameters to linear size, and essentially recover the construction of [BGW05]. That is, the role of the q-tye assumtion is to comress a quadratic number of terms to linear. This is very different from the use of q-tye 7

8 assumtions in the HIBE of [BBG05], for examle, which were relaced with static assumtions by [LW10] without a loss in asymtotic arameters. 8

9 2 Preliminaries 2.1 Notation We denote by x R X the fact that x is icked uniformly at random from a finite set X. By PPT, we denote a robabilistic olynomial-time algorithm. 2.2 Bilinear Grous We instantiate both broadcast encrytion schemes using asymmetric bilinear grous. Let G be a robabilistic olynomial time (PPT algorithm that on inut a security arameter 1 λ returns an asymmetric bilinear grou descrition G := (N, G 1, G 2, G T, e, where G 1, G 2 and G T are cyclic grous of order N, and e : G 1 G 2 G T is a non-degenerate bilinear ma. We require that the grou oerations in G 1, G 2 and G T as well as the bilinear ma e are comutable in deterministic olynomial time. Comosite-order grous. For the comosite-order construction in Section 3, we consider grous of order N = q, where, q are distinct rimes of Θ(λ bits, and G 1 = G, G 2 = H are asymmetric grous. In this setting, we can write G = G G q and H = H H q, where G, G q, H, H q are subgrous of the subscrited order. In addition, we use G s, Hs to denote G s \ {1}, H s \ {1}, where s {, q}. We will often use write g, g q, h, h q to denote random generators for the subgrou G, G q, H, H q. Prime-order grous. For the rime-order construction in Section 5, we consider grous of order N = for some rime of Θ(λ bits, where G 1 and G 2 are ossibly different grous (tye 1, 2 or 3 airing. We write g 1, g 2 to denote random generators of G 1 and G 2 resectively, and g T := e(g 1, g 2, which is a generator of G T. We use imlicit reresentation of grou elements: for a Z, define [a] s = ag s G s as the imlicit reresentation of a in G s, for s {1, 2, T }. Given [a] 1 and [b] 2, one can efficiently comute [ab] T using the airing e. For two matrices A Z l m, B Z m n, define e([a] 1, [B] 2 := [AB] T G l m T. 2.3 Static Comosite-Order Assumtions The security of the comosite-order scheme in Section 3 is roven under three static assumtions in comosite-order asymmetric bilinear grous. We define the advantage functions referred to in the assumtions in Figure 3. Definition 2.1 (Comosite-Order Static Decision Assumtions. We say that the Static Decision Assumtions hold relative to G if for all PPT adversaries A, the advantages Adv SD1 G,A (λ, (λ, and AdvSD3(λ are negligible functions in λ. Adv SD2 G,A G,A 2.4 Matrix Diffie-Hellman Assumtions The security of the rime-order scheme in Section 5 is roven under the Matrix Decision Diffie-Hellman (MDDH Assumtion [EHK + 13], whose definition we recall here. Definition 2.2 (Matrix Distribution. Let k, l N, with l > k. We call D l,k a matrix distribution if it oututs matrices in Z l k of full rank k in olynomial time. We write D k := D k+1,k. 9

10 Adv SD1 G,A (λ := Pr[A(D, T 0 = 1] Pr[A(D, T 1 = 1] where G G(λ, D := (g, h, g R G, h R H and T 0 := g s R G, T 1 = gg s q s R G G q Adv SD2 G,A (λ := Pr[A(D, T 0 = 1] Pr[A(D, T 1 = 1] where G G(λ, D := (g, h, g s g s q, h α q, g R G, h R H, g s g s q R G G q, h α q and T 0 := h z R H, T 1 = h z h z q R H H q R H q Adv SD3 G,A (λ := Pr[A(D, T 0 = 1] Pr[A(D, T 1 = 1] where G G(λ, D := (g, h, g s g s q, h α h α q, g R G, h R H, gg s q s R G G q, h α h α q and T 0 := e(g, h sα, T 1 = X R G T R H H q Figure 3: Advantage functions Without loss of generality, we assume the first k rows of A R D l,k form an invertible matrix. The D l,k -Matrix Diffie-Hellman roblem in G s for s {1, 2, T } is to distinguish the two distributions ([A] s, [Aw] s and ([A] s, [u] s where A R D l,k, w R Z k and u R Z l. Definition 2.3 (D l,k -Matrix Diffie-Hellman Assumtion D l,k -MDDH. Let D l,k be a matrix distribution. We say that the D l,k -Matrix Diffie-Hellman (D l,k -MDDH Assumtion holds relative to G in G s for s {1, 2, T } if for all PPT adversaries A, Adv MDDH G,D l,k,a(λ := Pr[A(, [A] s, [Aw] s = 1] Pr[A(, [A] s, [u] s = 1] = negl(λ, where the robability is taken over R G(1 λ, A R D k, w R Z k, u R Z l. For each k 1, [EHK + 13] secifies distributions L k, SC k, C k (and others over Z (k+1 k such that the corresonding D k -MDDH assumtions are generically secure in bilinear grous and form a hierarchy of increasingly weaker assumtions. L k -MDDH is the well known k-linear Assumtion k-lin with 1-Lin = DDH. Definition 2.4 (Uniform distribution. Let l, k N, with l > k. We denote by U l,k the uniform distribution over all full-rank l k matrices over Z. Let U k := U k+1,k. Among all ossible matrix distributions D l,k, the uniform matrix distribution U k is the hardest ossible instance, so in articular k-lin U k -MDDH. Lemma 2.5 (D l,k -MDDH U k -MDDH, [EHK + 13]. Let D l,k be a matrix distribution. For any PPT adversary A, there exists an adversary B such that T(B T(A and Adv MDDH G,D l,k,a (λ = Adv MDDH G,U k,b (λ. Let Q 1. For W R Z k Q, U R Z l Q, we consider the Q-fold D l,k -MDDH Assumtion in G s for s {1, 2, T } which consists in distinguishing the distributions ([A] s, [AW] s from ([A] s, [U] s. That is, a challenge for the Q-fold D l,k -MDDH Assumtion consists of Q indeendent challenges of the D l,k -MDDH Assumtion (with the same A but different randomness w. In [EHK + 13] it is shown that the two roblems are equivalent, where (for Q l k the reduction loses a factor l k. 10

11 Lemma 2.6 (Random self-reducibility of D l,k -MDDH, [EHK + 13]. Let l, k, Q N with l > k. For any PPT adversary A, there exists an adversary B such that T(B T(A + Q oly(λ with oly(λ indeendent of T(A, and Adv Q-MDDH G,D l,k,a (λ (l k AdvMDDH G,D l,k,b(λ where Adv Q-MDDH G,D l,k,a (λ := Pr[A(G, [A] s, [AW] s = 1] Pr[B(G, [A] s, [U] s = 1] and the robability is over G R G(1 λ, A R D l,k, W R Z k Q, U R Z l Q. 2.5 Broadcast encrytion A broadcast encrytion scheme consists of three randomized algorithms (Setu, Enc, Dec, along with a fourth deterministic rocedure: KeyGen. Setu(1 λ, 1 n (k, msk. The setu algorithm gets as inut the security arameter 1 λ and the number of users 1 n. It oututs the ublic arameters k and master secret key msk. KeyGen(msk, i sk i. The key generation algorithm gets as inut the master secret key msk and an index i [n]. It (deterministically oututs the secret key for user i: sk i. Enc(k, Γ, M ct Γ. The encrytion algorithm gets as inut k and a subset Γ [n]. It oututs a cihertext ct Γ. Here, Γ is ublic given ct Γ. Dec(k, sk i, ct Γ M. The decrytion algorithm gets as inut k, sk i, and ct Γ. It oututs a message M. Correctness We require that for all Γ [n], messages M, and i [n] for which i Γ, Pr[ct Γ Enc(k, Γ, M, sk i KeyGen(msk, i; Dec(k, sk i, ct Γ = M] = 1 where the robability is taken over (k, msk Setu(1 λ, 1 n and the coins of Enc. Security For an adversary A, we define the advantage function Adv BE [ ] A (λ := Pr b = b b A KeyGenO(,EncO(, (1 λ 1/2 where: (b,k,msk SetuO SetuO samles (k, msk R Setu(1 λ, 1 n and b R {0, 1}, and returns k. SetuO is called once at the beginning of the game. KeyGenO(i [n] returns KeyGen(msk, i. If M 0 and M 1 are two messages of equal length, and Γ [n], EncO(Γ, M 0, M 1 returns Enc(k, Γ, M b. 11

12 with the restriction that for all queries i [n] that A makes to KeyGenO( and all queries Γ [n] to EncO satisfy i / Γ (that is, sk i does not decryt ct Γ. Note that this definition allows the adversary to query EncO multile times. We call this the multi-challenge setting and say that a broadcast encrytion scheme is adatively secure in the multi-challenge setting if for all PPT adversaries A, Adv BE A (λ is a negligible function in λ. If we only consider adversaries that query EncO once, we have the standard notion of adative security. Namely, we say that a broadcast encrytion scheme is adatively secure if for all PPT adversaries A that issue only one query to Enc, Adv BE A (λ is a negligible function in λ. Note that a scheme being adatively secure imlies that it is also adatively secure in the multi-challenge setting via a hybrid argument over the challenge cihertexts. However, this incurs a security loss roortional to the number of challenge cihertexts, In Section 7, we resent a scheme with a tight reduction in the multi-challenge security roof that avoids this loss. 12

13 3 Comosite-Order Construction Figure 4 shows our comosite order construction. Setu(1 λ, 1 n : G R G(1 λ ;g R G, h R H ; α, u R Z N ; {w i, r i R Z N } i [n] Outut k = ( g, g u, {g wi } i [n], {h ri } i [n], {h wirj } i j, e(g, h α and msk = ( h, α, u, {r i } [n]. KeyGen(msk, i [n]: Outut sk i = h α+uri H. Enc(k, Γ [n], M G T : s R Z N ( s C 0 := g; s j Γ C 1 := g ; C 2 := e(g, h αs M Outut ct Γ := (C 0, C 1, C 2 G 2 G T u+ w j Dec(ct Γ, sk i : Comute D 0 = e((g s 1, h α+uri = e(g, h }{{}}{{} sα+ suri =sk i s Comute D 1 = e(g =C 1 ( 0 u+ w j j Γ r, h i }{{}}{{} =C 1 from k = e(g, h suri+s Comute D 2 = e((g s 1, h wjri = e(g, h s }{{} j Γ =C 1 }{{} 0 from k Comute and outut M = C 2 D 0 D 1 D 2. w jr i j Γ w jr i j Γ Figure 4: BE comosite, an adatively secure broadcast encrytion scheme based on comosite-order bilinear grous. 4 Security Proof of the Comosite-Order Construction 4.1 Hybrid definitions Our roof will be accomlished through a standard dual system series of hybrids over the challenge cihertext and n key indices, beginning with Game real, the real security game, and ending at Game final, a game in which the adversary has no advantage. These games will differ in the distribution of the challenge cihertext, secret keys, and ublic arameters. We define new semifunctional distributions of cihertexts and secret keys in Figures 5 and 6. 13

14 Semi-functional Cihertext. A semi-functional cihertext is formed as follows: s Start with a normal ct Γ = M e(g, h αs, g, s g Pick s, u, w 1,..., w n R Z N Outut ct Γ = M e(g, h αs, gg s q s, g s ( ( u+ w j j Γ u+ w j j Γ ( s u + j Γ gq Figure 5: Semi-functional Cihertext w j To form semi-functional (keys, ublic arameters for index t, first the normal ublic arameter and key generation rocedures are erformed to get: k := (g, g u, {g w i } i [n], {h r i } i [n], {h w ir j } i j, e(g, h α sk t := h α+uyt Draw α, w 1,.., w n, r 1,..., r n R Z N. The remaining stes deend on the articular tye of semi-functional key / ublic arameters: Tye (t, 1 Semi-functional keys: Semi-functional keys of tye (t, 1 are formed as follows: sk t,1 := h α+urt h u r t q Tye (t, 2 Semi-functional keys: Semifunctional keys of tye (t, 2 are formed as follows: sk t,2 := h α+urt h α +u r t q Tye (t, 3 Semi-functional keys: A semi-functional key of tye (t, 3 is formed as follows: sk t,3 := h α+urt h α q Tye t ublic arameters: Semi-functional ublic arameters of tye t are formed as follows: k t := g, g u, {g w i } i [n], {h r i } i t [n] {h rt h r t e(g, h α q }, {h w ir j } i j j t Figure 6: Semi-functional Keys {h w ir t h w i r t q } i t, 14

15 Game 0 Same as Game real, but challenge cihertext is semi-functional. Game l,1 Same as Game (l 1,3, but the ublic arameters are semi-functional of tye l and the key for index l is semi-functional of tye (l, 1. Game l,2 Same as Game l,1, but the key for index l is semi-functional of tye (l, 2 (ublic arameters remain semi-functional of tye l. Game l,3 Same as Game l,2, but the ublic arameters are normally formed and the key for index l is semi-functional of tye (l, 3. Game final Same as Game n,3, excet the message M b in the challenge cihertext is blinded by an indeendently random grou element X R G T instead of e(g, h αs. Figure 7: Hybrid Games We use these distributions in Figure 7 to define the following hybrid games, where l ranges from 1 to n. Note that Game 0 is identical to Game 0,3. We first argue that no adversary can achieve non-negligible difference in advantage between Game real and Game 0 Game 0,3. We then hybrid over each key index, arguing that no adversary can achieve non-negligible difference in advantage between Game (l 1,3 and Game l,1, then Game l,1 and Game l,2, then Game l,2 and Game l,3 for l = 1,...n until arriving at Game n,3, then finally Game final, at which the adversary has no non-negligible advantage. Namely, we show that Game real c Game 0 Game 0,3 c Game 1,0 c Game 1,1 Game 1,2 c Game 1,3 c Game 2, c Game n,3 c Game final where denotes statistical equality, and c denotes comutational indistinguishability. Figure 8 details how the constructions change throughout these games. Notice that in the hybrid over key requests, all semi-functional keys before the hybrid index t are unable to decryt a semi-functional cihertext, even if they were in the authorized set. The key for index t becomes unable to do the same starting in Game t,2. 15

16 SetuO: G = (N, G, H, G T, e G(1 λ α, u R Z N ; α R Z N ; u R Z N {w i, r i R Z N } i [n] ; {w i, r i R Z N } i [n] k = g, g u, {g wi } i [n], {h ri } i [n], {h wirj } i j, e(g, h α k t := g, g u, {g wi } i, {h ri } i t {h rt h r t k t := g, g u, {g wi } i, {h ri } i t {h rt h r t q }, {h wirj q }, {h wirj k := g, g u, {g wi } i, {h ri } i, {h wirj } i j, e(g, h α Outut k EncO(Γ [n], M 0 G T, M 1 G T : b R {0, 1}, s R Z N, s R Z N C 0 := g s g s s C 1 := g ( q u+ j Γ w j ( s u + w j Γ g j q C 2 := e(g, h αs M b Outut ct Γ := (C 0, C 1, C 2 G G G T KeyGenO(l [n]: For l < t, sk l := h α+ur l h α q For l = t, sk t := h α+urt h u r t q For l = t, sk t := h α+urt h α +u r t q For l = t, sk t := h α+urt h α q For l > t and all keys in Game real, sk l := h α+ur l Outut sk l } i j j t } i j j t {h wirt {h wirt h w i r t q } i t, e(g, h α h w i r t q } i t, e(g, h α Game real, Game 0, Game t,1, Game t,2, Game t,3 Figure 8: Game real, Game 0, Game t,1, Game t,2 (for 1 t n, Game t,3 (for 0 t n for the roof of security of BE comosite defined in Figure 4. In each rocedure, the comonents inside a solid (dotted, light gray, gray frame are only resent in the games marked by a solid (dotted, light gray, gray frame. 16

17 4.2 Hybrid Indistinguishability We will show that any PPT adversary A s advantage in the real game, Adv BE A (λ = Adv real, satisfies the following: Adv BE A (λ = Adv real Adv SD1 G,A 1 (λ + n Adv SD2 G,A 2 (λ + n Adv SD2 G,A 3 (λ + Adv SD3 G,A 4 (λ for adversaries A 1, A 2, A 3, A 4 whose running times are essentially the same as A s. We accomlish this in the following lemmas. Let Adv i denote the adversary s advantage in Game i. Then: Lemma 4.1. Adv real Adv 0 = Adv real Adv 0,3 Adv SD1 G,A 1 (λ Proof. Given g R G, h R H, and T = g s R G or g s g s q R G G q, an adversary A 1 could simulate the security game with A by running Setu and using KeyGen to resond to all key requests as usual with g, h. When the challenge cihertext is requested for set Γ, form it as follows: ct Γ = M b e(t, h α u+ w j j Γ, T, T Notice that when T = g s, then this is the same distribution as Game real. When T = gg s q s, then this is the same distribution as Game 0 = Game 0,3 u+ (due to the Chinese Remainder theorem, gq is distributed identically to gq where u, w j are chosen indeendently at random from Z N. It follows that a difference in advantage Adv real Adv 0,3 of A could be used by A 1 to achieve the same advantage in the Static Decision Problem 1, so j Γ w j Adv real Adv 0,3 Adv SD1 G,A 1 (λ u + j Γ w j Lemma 4.2. Adv (t 1,3 Adv t,1 Adv SD2 G,A 2 (λ for t = 1,..., n. Proof. Given g R G, h R H, gg s q s R G G q, h α q R H q, and T = h z R H or h z h z q R H H q, an adversary A 2 could simulate the security game with A by first forming the ublic arameters as follows: Outut: α, u, w 1,..., w n, r 1,..., r t 1, r t+1,..., r n R Z N k = g, g u, {g w i } i [n], {h r i } i t {T }, {h w ir j } i j,j t {T w i } i t, e(g, h α To form the (semi-functional challenge cihertext for set Γ, comute: ct Γ = M b e(gg s q s, h α, (gg s q s, (gg s u+ w j q s j Γ 17

18 are distributed identi- (recall that due to the Chinese Remainder Theorem, the g u gq u, g w i g w i q cally to g u gq u, g w i g w i q for indeendently chosen u, w i To form (semi-functional of tye (l, 3 keys for indices l less than t, comute: sk l,3 = hα+ur l (h α q Notice that (normal keys for indices greater than t can also be comuted, since α, u, h and r l are known (for all l t. For a key request for index t, comute: sk t = h α (T u Notice that when T = h z, then this is the same distribution as Game (t 1,3 (the sk for index t and the ublic arameters are distributed normally, where r t = z. When T = h z h z q, then this is the same distribution as Game t,1 (the sk for index t is semifunctional of tye (t, 1 and the ublic arameters are semi-functional of tye t, where r t = z, and r t = z. It follows that a difference in advantage Adv (t 1,3 Adv t,1 of A for any t = 1,..., n could be used by A 2 to achieve the same advantage in the Static Decision Problem 2, so Adv (t 1,3 Adv t,1 Adv SD2 G,A 2 (λ for t = 1,..., n Lemma 4.3. Adv t,1 Adv t,2 = 0 for t = 1,..., n. Proof. The distributions of Game t,1 and Game t,2 are actually identical. To see this, note that the only difference between Game t,1 and Game t,2 is that the h q comonent of the secret key for index t goes from h r t q u to h α +r t q u. If index t is not queried, then there is obviously no difference in the distribution between games. Otherwise, if a key for index t is queried, notice that the only lace w t occurs is in the g q s (u + w j Γ j comonent of the challenge cihertext: gq (we know that w t occurs in the sum because this key request must be for an index t not in the authorized set Γ. Therefore, this w t in the summation is enough to information-theoretically hide the value of u given just the challenge cihertext. The only other lace u occurs is in the h q comonent of the secret key for index t: h r t q u. So, u is enough to make the distribution of the h r t q u uniformly random (identical to h α +r t q u for an indeendent random α. Either way, the two distributions are identical, and therefore Adv t,1 Adv t,2 = 0 for t = 1,..., n. Lemma 4.4. Adv t,2 Adv t,3 Adv SD2 G,A 3 (λ for t = 1,..., n. Proof. Given g R G, h R H, gg s q s R G G q, h α q R H q, and T = h z R H or h z h z q R H H q, an adversary A 3 could simulate the security game with A by first forming the ublic arameters as follows: α, u, w 1,..., w n, r 1,..., r t 1, r t+1,..., r n R Z N 18

19 Outut: k = g, g u, {g w i } i [n], {h r i } i t {T }, {h w ir j } i j,j t {T w i } i t, e(g, h α To form the (semi-functional challenge cihertext for set Γ, comute: ct Γ = M b e(gg s q s, h α, (gg s q s, (gg s u+ w j q s j Γ are distributed identi- (recall that due to the Chinese Remainder Theorem, the g u gq u, g w i g w i q cally to g u gq u, g w i g w i q for indeendently chosen u, w i To form (semi-functional of tye (l, 3 keys for indices less than t, comute: sk l,3 = hα+ur l (h α q Notice that (normal keys for indices greater than t can also be comuted, since α, u, h, and r l are known (for all l t. For a key request for index t comute: sk t = h α (T u (g α q Notice that when T = h z h z q, then this is the same distribution as Game t,2 (The sk for index t is semi-functional of tye (t, 2 and the ublic arameters are semi-functional of tye t, where r t = z, and r t = z. When T = h z, then this is the same distribution as Game t,3 (the ublic arameters are distributed normally and the tth sk is semi-functional of tye (t, 3, where r t = z. It follows that a difference in advantage Adv t,2 Adv t,3 of A for any t = 1,..., n could be used by A 3 to achieve the same advantage in the Static Decision Problem 2, so Adv t,2 Adv t,3 Adv SD2 G,A 3 (λ for t = 1,..., n. The receding three lemmas take us all the way u to Game n,3, where the ublic arameters are normally formed, the challenge cihertext is semi-functional, and all keys are semi-functional of tye (n, 3. We argue that any difference in advantage of A between this game and Game final, which is the same game excet the message M b is blinded by a indeendently random target grou element, can be used to achieve the same advantage in the Static Decision Problem 3: Lemma 4.5. Adv n,3 Adv final Adv SD3 G,A 4 (λ Proof. Given g R G, h R H, gg s q s R G G q, h α h α q R H H q, and T = e(g, h αs or X R G T, an adversary A 4 could simulate the security game with A by forming the ublic arameters as follows: u, w 1,..., w n, r 1,..., r n R Z N k = g, g u, {g w i } i [n], {h r i } i [n], {h w ir j } i j, e(g, h α h α q 19

20 To form the (semi-functional challenge cihertext for set Γ, comute: ct Γ = M b T, (gg s q s, (gg s u+ w j q s j Γ To form (semi-functional of tye (l, 3 keys, comute: sk l,3 = (h α h α q h ur l for any l [n] requested. Note that if T = e(g, h αs, then this game is distributed exactly as in Game n,3. If T = X for a uniformly random X, then we are in Game final. It follows that a difference in advantage Adv n,3 Adv final of A could be used by A 4 to achieve the same advantage in the Static Decision Problem 3, so Adv n,3 Adv final Adv SD3 G,A 4 (λ. Theorem 4.6. If the Static Decision Assumtions of Definition 2.1 hold, then the broadcast encrytion scheme BE comosite defined in Figure 4 is adatively secure. Proof. Summing the statements of the revious lemmas gives us: Adv real Adv final Adv SD1 G,A 1 (λ + n Adv SD2 G,A 2 (λ + n Adv SD2 G,A 3 (λ + Adv SD3 G,A 4 (λ In Game final the challenge message M b is information theoretically hidden by X, so it is obvious that no PPT adversary can achieve nonzero advantage in this game (that is, Adv final = 0. So, we have: Adv real Adv SD1 G,A 1 (λ + n Adv SD2 G,A 2 (λ + n Adv SD2 G,A 3 (λ + Adv SD3 G,A 4 (λ Our static decision assumtions state that Adv SD1 G,A 1 (λ, Adv SD2 G,A 2 (λ, Adv SD2 G,A 3 (λ, Adv SD3 G,A 4 (λ are negligible functions of λ (and n is a olynomial function of λ, so the advantage Adv BE A (λ = Adv real is a negligible function of λ, and therefore our scheme is adatively secure. 20

21 5 Prime Order Construction Our rime-order construction is detailed in Figure 9. Setu(1 λ, 1 n : G R G(1 λ ;A R D k ; k R Z k+1 ; {W i R Z (k+1 k, r i R Z k } i [n] Outut k := ([A] 1, [A W 0 ] 1 {[A W i ] 1, [r i ] 2 } i [n], [A k] T, {[W j r i ] 2 } i,j [n],i j and msk := ( [k] 2, {[W 0 r i ] 2 } i [n]. KeyGen(msk, i [n]: Outut sk i := [k + W 0 r i ] 2 G (k+1 2. Enc(k, Γ [n], M G T : s R Z k C 0 := [s A ] 1 ; C 1 := [s A (W 0 + W j ] 1 ; C 2 := [s A k] T M j / Γ Outut ct Γ := (C 0, C 1, C 2 G 2k+1 1 G T Dec(ct Γ, sk i : // ct Γ and sk i imlictly contain a descrition of Γ and i Comute e([s A ] 1, [k + W 0 r i ] 2 (W }{{}}{{} /e([s A 0 + W j ] 1, [r i ] 1 = [s A k s A j / Γ }{{} W jr i ] T. j / Γ =C 0 =sk i }{{} k =C 1 Multily the revious term by e([s A ] 1, [ W j r i ] 2 to get the encasulation key [s A k] T and to }{{} j / Γ =C 0 }{{} outut the message M. k for i Γ Figure 9: BE rime, an adatively secure broadcast encrytion scheme based on rime-order bilinear grous. 6 Security Proof of the Prime-Order Construction We now give the security roof of the scheme BE rime, resented in Figure 9. Theorem 6.1. If the D k -MDDH Assumtion holds in G 1 and G 2, then the broadcast encrytion scheme BE rime defined in Figure 9 is adatively secure (as defined in section 2.5. Namely, for any adversary A, there exists an adversary B such that T(B T(A and where n is the number of users. Adv BE A (λ (2n + 1 Adv MDDH G,D k,b(λ + 2 Ω(λ, We rove Theorem 6.1 via a series of games described in Figure 10 and we use Adv i to denote the advantage of A in game Game i. Namely, we show that: Game real c Game 0 c Game 1 c... c Game n, where c denotes comutational indistinguishability. Game real is the security game as defined in Section 2.5, and the other Game i are defined in Figure 10. Theorem 6.1 follows from Lemma 6.2, 6.3 and 6.4 below. 21

22 SetuO: G R G(1 λ ;A R D k ; k R Z k+1 ; W 0,..., W n R Z (k+1 k ; r 1,..., r n R Z k a R U k+1,1 such that A a = 0 Outut k := ([A] 1, [A W 0 ] 1, {[A W i ] 1, [r i ] 2 } i [n], [A k] T, {[W j r i ] 2 } i,j [n],i j KeyGenO(l [n]: sk l := [k + W 0 r l ] 2 If l t, sk l := [k + W 0 r l + γ l a ] 2, with γ l R Z. Otherwise, sk l := [k + W 0 r l ] 2. EncO(Γ [n], M 0 G T, M 1 G T : b R {0, 1}; s R Z k ; z := As; z R Z k+1 C 0 := [z ] 1 ; C 1 := [z (W 0 + W j ] 1 ; C 2 := [z k] T M b ; ct Γ := (C 0, C 1, C 2 G 2k+1 1 G T j / Γ Game real, Game t Figure 10: Game real, Game t (for 0 t n for the roof of security of BE rime defined in Figure 9. Here n denotes the number of users. In each rocedure, the comonents inside a solid frame are only resent in the games marked by a solid frame. Lemma 6.2 (Game real c Game 0. There exists an adversary B 0 such that T(B 0 T(A and Adv real Adv 0 Adv MDDH G,D k,b 0 (λ. Here, we use the MDDH assumtion to switch the distribution of the challenge cihertext. Proof. To go from Game real to Game 0, we switch the distribution of the vector [z] 1 in the challenge cihertext, using the D k -MDDH Assumtion on [A] 1 (see Definition 2.3. Uon receiving a challenge (G, [A] 1, [v] 1 for the D k -MDDH Assumtion, B 0 icks b R {0, 1}, k R Z k+1 ; W 0,..., W n R Z (k+1 k ; r 1,..., r n R Z k, sets [z] 1 := [v] 1, and simulates the ublic arameters, the secret keys and the challenge cihertext as defined in Figure 10. Note that when [v] 1 is a roer MDDH samle, B 0 simulates Game real, and when [v] 1 is uniformly random over G k+1 1, it simulates Game 0. Lemma 6.3 (Game t 1 c Game t. For all t [n], there exists an adversary B t 1 such that T(B t 1 T(A and Adv t 1 Adv t 2 Adv MDDH G,D k,b t 1 (λ. Here, we embed an MDDH challenge in k and sk t. More recisely, the simulator sets r t := Bv t Z k, where B R D k and v t R Z k, i.e. the uer art of an MDDH challenge. The lower art Bv t Z is embedded in sk t, if sk t is queried by the adversary (it may not be the case, in articular if t Γ. Note that the simulator needs to know if sk t is going to be queried by the adversary when simulating k. Proof. Uon receiving a challenge (G, [B] 2, [v] 2 for the D k -MDDH Assumtion, B t 1 simulates A s view as follows. 22

23 SetuO: B t 1 guesses if A is going to query sk t (by icking a random β R {0, 1}. If so (β = 1, W 0 and W t are imlicitly defined as W 0 := Ŵ0 a T B and W t := Ŵt + a T B, where Ŵ0, Ŵt R Z (k+1 k, and T B := BB 1 Z 1 k (recall that wlog., B is an invertible matrix. Otherwise (β = 0, they are defined as W 0 := Ŵ0 R Z (k+1 k and W t := Ŵt R Z (k+1 k. Then, B t 1 icks A R D k ; a U k+1,1 such that A a = 0; k R Z k+1 ; W i R ; v i R Z k and sets [r i ] 2 := [Bv i ] 2, for i [n], i t. Finally, B t 1 embeds the Z (k+1 k uer art of the MDDH challenge in r t by setting [r t ] 2 := [v] 2. It oututs ( k := [A ] 1, [A W 0 ] 1,..., [A W t ] }{{} 1,..., [A W n ] 1, [A k] T, [r 1 ] 2,..., [r t ] 2 =[A Ŵt] 1 {[W i r j ] 2 } i,j [n],i j,i t, { [W t r j ] 2 } }{{} j [n],j t. =[ŴtBv i] 2 if β = 0 =[ŴtBv i+a Bv i ] 2 if β = 1,..., [r }{{} n ] 2, =[v] 2 Note that the simulated k is identically distributed (indeendently of β as the k is Game t 1 and Game t (k is identically distributed in these two games. KeyGenO(l [n]: For each query l [n], B t 1 icks γ l R Z and oututs sk l := [k + W 0 r l + γ l a ] 2 if l t 1, and sk l := [k + W 0 r l ] 2 if l > t, where W 0 is imlicitly set to Ŵ0 if β = 0, and to Ŵ 0 a T B if β = 1. If l = t, then, β should be 1. If this is not the case, B t 1 aborts the simulation, since the guess was incorrect. Otherwise, it oututs sk t := [k + Ŵ0v + a v] 2. Note that when [v] 2 is a real MDDH challenge, i.e v = T B v, then Ŵ0v + a v = W 0 r t, that is, sk t is distributed as in Game t 1. When it is a uniformly random vector, i.e v = T B v + γ t, where γ t R Z, then Ŵ0v + a v + γ t a, that is, sk t is distributed as in Game t. EncO(Γ [n], M 0 G T, M 1 G T : B t 1 icks b R {0, 1}; z R Z k+1 ; sets C 0 := [z ] 1 and C 2 := [z k] T M b. Then, If β = 0: Then, B t 1 sets C 1 := [z (W 0 + j / Γ W j ] 1, where W 0 = Ŵ0 and W t = Ŵt. If β = 1: If t Γ, then in articular sk t cannot be queried by A, by defintion of the security game. Therefore, B t 1 aborts the simulation: the guess was incorrect. Otherwise, it sets C 1 := [z (Ŵ0 + W i + Ŵt] 1. i/ Γ,i t 23