Hierarchical identity-based encryption Michel Abdalla ENS & CNS September 26, 2011 MPI - Course 2-12-1 Lecture 3 - Part 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 1 / 33
Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 2 / 33
Outline 1 Introduction 2 HIBE definition Syntax Security notions 3 HIBE schemes Boneh-Boyen HIBE Boneh-Boyen-Goh HIBE Waters HIBE 4 Security of BB Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 3 / 33
Identity-based encryption Goal: Allow senders to encrypt messages based on the receiver s identity. Key distribution center Key Setup msk Key Derivation ID mpk sk ID ID, M Encryption C Decryption M Sender eceiver ID Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 4 / 33
Hierarchical identity-based encryption (HIBE) oot I Level 1 1 I Level 2 2 I 3 Level 3 ID = (I 1,I 2,I 3 ) Identities are vectors of the form (id 1,..., id L ), where L is the HIBE depth. Hierarchical key derivation Users with (id 1, id 2 ) can derive keys for any user whose identity is of the form (id 1, id 1, *,..., *) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 5 / 33
HIBE key derivation oot oot msk Key Derivation ID 1 sk ID1 Level 1 ID 1 Key Derivation ID 2 sk (ID1,ID2) ID 2 Level 2 mpk, (ID 1,ID 2 ), M Sender Decryption C Encryption M Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 6 / 33
Outline 1 Introduction 2 HIBE definition Syntax Security notions 3 HIBE schemes Boneh-Boyen HIBE Boneh-Boyen-Goh HIBE Waters HIBE 4 Security of BB Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 7 / 33
Hierarchical Identity-based encryption (HIBE) Identity at level 1 l L is a vector id = (id 1,..., id l ) ID l. oot identity is represented by ε. An HIBE scheme is defined by four algorithms: Setup(1 k, L): Outputs a master public key mpk for a HIBE of depth L along with master secret key msk. KeyDer(sk (id 1,...,id l ), id l+1 ): Uses the secret key sk for identity id = (id 1,..., id l ) to compute a secret key sk id for the user with identity id. Enc(mpk, id, m): Generates a ciphertext C for identity id = (id 1,..., id l ) and message m using master public key mpk. Dec(C, sk id ): Allows the user in possession of sk id for identity id = (id 1,..., id l ) to decrypt the ciphertext C and get back a message m. Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 8 / 33
HIBE security notions Just as in the IBE case, we can consider different attacks (adaptive-identity vs. selective-identity) and goals (indistinguishability and anonymity) for HIBE schemes. Indistinguishability The adversary s goal is to distinguish Enc(mpk, id, m0 ) from Enc(mpk, id, m1 ) for values id, m0,m 1 of its choice. Anonymity The adversary s goal is to distinguish Enc(mpk, id 0, m ) from Enc(mpk, id 1, m ) for values id 0, id 1, m of its choice. Adaptive-identity chosen-plaintext attacks In this model, the adversary is allowed to choose the challenge identity values at the time that it asks the challenge query. Selective-identity chosen-plaintext attacks In this model, the adversary has to choose the challenge identity values before seeing the public key. Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 9 / 33
IND-HID-CPA: Indistinguishability under chosen-plaintext attacks Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the IND-HID-CPA security of HIBE. proc Initialize(k, L) (mpk, msk) Setup(1 k, L) eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id Game Exp ind-cpa-β HIBE,L,A (k) proc L(id, m 0, m 1 ) C Enc(mpk, id, m β ) eturn C proc Finalize(β ) eturn β The advantage of A against the IND-HID-CPA security of HIBE is defined as [ ] [ ] Adv ind-cpa HIBE,L,A (k) = Pr Exp ind-cpa-1 HIBE,L,A (k) = 1 Pr Exp ind-cpa-0 HIBE,L,A (k)) = 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 10 / 33
IND-HID-CPA: An alternative definition Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the IND-HID-CPA security of HIBE. proc Initialize(k, L) Game Exp ind-cpa HIBE,L,A (k) β {0, 1} (mpk, msk) Setup(1 k, L) eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id proc L(id, m 0, m 1 ) C Enc(mpk, id, m β ) eturn C proc Finalize(β ) eturn (β = β) The advantage of A against the IND-HID-CPA security of HIBE is defined as [ ] Adv ind-cpa HIBE,L,A (k) = 2 Pr Exp ind-cpa HIBE,L,A (k) = true 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 11 / 33
IND-sHID-CPA: Indistinguishability under selective-identity chosen-plaintext attacks Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the IND-sHID-CPA security of HIBE. proc Initialize(k, L, id ) (mpk, msk) Setup(1 k, L) eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id Game Exp s-ind-cpa-β HIBE,L,A (k) proc L(m 0, m 1 ) C Enc(mpk, id, m β ) eturn C proc Finalize(β ) eturn β The advantage of A against the IND-sHID-CPA security of HIBE is defined as [ ] [ ] Adv s-ind-cpa HIBE,L,A (k) = Pr Exp s-ind-cpa-1 HIBE,L,A (k) = 1 Pr Exp s-ind-cpa-0 HIBE,L,A (k)) = 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 12 / 33
IND-sHID-CPA: An alternative definition Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the IND-sHID-CPA security of HIBE. Game Exp s-ind-cpa[l] HIBE proc Initialize(k, L, id ) β {0, 1} (mpk, msk) Setup(1 k ) eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id proc L(m 0, m 1 ) C Enc(mpk, id, m β ) eturn C proc Finalize(β ) eturn (β = β) The advantage of A against the IND-sHID-CPA security of HIBE is defined as [ ] Adv s-ind-cpa HIBE,L,A (k) = 2 Pr Exp s-ind-cpa[l] HIBE = true 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 13 / 33
ANO-HID-CPA: Anonymity under chosen-plaintext attacks Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the ANO-HID-CPA security of HIBE. proc Initialize(k, L) (mpk, msk) Setup(1 k ) eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id Game Exp ano-cpa-β HIBE,L,A (k) proc L(id 0, id 1, m ) C Enc(mpk, id β, m ) eturn C proc Finalize(β ) eturn β The advantage of A against the ANO-HID-CPA security of HIBE is defined as [ ] [ ] Adv ano-cpa HIBE,L,A (k) = Pr Exp ano-cpa-1 HIBE,L,A (k) = 1 Pr Exp ano-cpa-0 HIBE,L,A (k)) = 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 14 / 33
ANO-sHID-CPA: Anonymity under selective-identity chosen-plaintext attacks Let HIBE = (Setup, KeyDer, Enc, Dec) be a hierarchical identity-based encryption scheme of depth L. Let A be an adversary against the ANO-sHID-CPA security of HIBE. Game Exp s-ano-cpa-β HIBE,L,A (k) proc Initialize(k, L, id 0, id 1) (mpk, msk) Setup(1 k, L) eturn mpk proc KeyDer(id) sk id KeyDer(msk, id) eturn sk id proc L(m ) C Enc(mpk, id β, m ) eturn C proc Finalize(β ) eturn β The advantage of A against the ANO-sHID-CPA security of HIBE is defined as [ ] [ ] Adv s-ano-cpa HIBE,L,A (k) = Pr Exp s-ano-cpa-1 HIBE,L,A (k) = 1 Pr Exp s-ano-cpa-0 HIBE,L,A (k)) = 1 Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 15 / 33
Outline 1 Introduction 2 HIBE definition Syntax Security notions 3 HIBE schemes Boneh-Boyen HIBE Boneh-Boyen-Goh HIBE Waters HIBE 4 Security of BB Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 16 / 33
Boneh-Boyen HIBE scheme (BB) Setup(1 k, L): (G, G T, p, ê) G(1 k ) g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; b = 0, 1 do h i,b Z p ; H i,b g h i,b mpk (g, A, B, H 1,0,..., H L,1, G, G T, p, ê) msk g ab return (mpk, msk) KeyDer(sk (id1,...,id l ), id l+1 ): parse sk (id1,...,id l ) as (sk 0,..., sk l ) r l+1 Z p sk 0 sk 0 (H id ) l+1 rl+1 i,0 H i,1 sk l+1 g r l+1 return (sk 0, sk 1,..., sk l, sk l+1) Enc(mpk, id, m): parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i ( H id i i,0 H ) t i,1 K ê(a, B) t C 3 m K return (C 1, (C 2,1,..., C 2,l ), C 3) Dec(sk, C): parse sk (id1,...,id l ) as (sk 0,..., sk l ) parse C as (C 1, C 2,1,..., C 2,l, C 3) K ê(sk 0, C l 1)/ i=1 ê(sk i, C 2,i ) m C 3/K return m Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 17 / 33
Additional comments about the BB HIBE scheme The secret key sk (id1,...,id l ) = (sk 0,..., sk l ) for identity (id 1,..., id l ) has the form: sk 0 = g ab l i=1 (Hid i i,0 H i,1) r i sk i = g r i for i = 1,..., l The secret key outputted by KeyDer can be re-randomized via andomize(sk (id1,...,id l )): parse sk (id1,...,id l ) as (sk 0,..., sk l ) for i = 1,..., l do r i Z p sk i sk i g r i sk 0 sk 0 l i=1 (Hid i i,0 H i,1) r i return (sk 0, sk 1,..., sk l ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 18 / 33
Correctness of BB HIBE scheme For a valid ciphertext, we have: K = ê(sk 0, C 1 )/ l i=1 ê(sk i, C 2,i ) = ê(g ab l i=1 (Hid i i,0 H i,1) r i, g t )/ l i=1 ê(g r i, (H id i i,0 H i,1) t ) = ê(g ab, g t ) l i=1 ê((hid i i,0 H i,1) r i, g t )/ l i=1 ê(g r i, (H id i i,0 H i,1) t ) = ê(g a, g b ) t = ê(a, B) t = K Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 19 / 33
Boneh-Boyen-Goh HIBE scheme (BBG-HIBE) Setup: g 1, g 2 G ; α Z p h 1 g1 α ; h 2 g2 α u i G for i = 1,..., L mpk (g 1, g 2, h 1, u 0,..., u L ) sk 0 h 2 For i = 1,..., L + 1 do sk i 1 msk (sk 0, sk 1,..., sk L, sk L+1 ) eturn (mpk, msk) KeyDer(sk (id1,...,id l ), id l+1 ): Parse sk (id1,...,id l ) as (sk 0, sk l+1,..., sk L, sk L+1 ) r l+1 Z p sk 0 sk 0 sk id l+1 l+1 (u l ) 0 i=1 uid i rl+1 i For i = l + 2,..., L do sk i sk i u r l+1 i sk L+1 sk L+1 g r l+1 1 eturn (sk 0, sk l+2,..., sk L, sk L+1) Enc(mpk, id, m): Parse id as (id 1,..., id l ) r Z p ; C 1 g1 r C 2 ( u l ) 0 i=1 uid i r i C 3 m ê(h 1, g 2) r eturn (C 1, C 2, C 3) Dec(sk (id1,...,id l ), C): Parse sk (id1,...,id l ) as (sk 0, sk l+1,..., sk L+1 ) Parse C as (C 1, C 2, C 3) m C 3 ê(c 2,sk L+1 ) ê(c 1,sk 0 ) eturn m Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 20 / 33
Waters HIBE scheme (Wa-HIBE) Setup: g 1, g 2 G ; α Z p h 1 g1 α ; h 2 g2 α u i,j G for i = 1,..., L; j = 0... n mpk (g 1, g 2, h 1, u 1,0,..., u L,n ) msk h 2 eturn (mpk, msk) KeyDer(sk (id1,...,id l ), id l+1 ): Parse sk (id1,...,id l ) as (sk 0,..., sk l ) r l+1 Z p sk 0 sk 0 F l+1 (id l+1 ) r l+1 sk l+1 g r l+1 1 eturn (sk 0, sk 1,..., sk l, sk l+1) Enc(mpk, id, m): Parse id as (id 1,..., id l ) r Z p ; C 1 g r 1 For i = 1,..., l do C 2,i F i (id i ) r C 3 m ê(h 1, g 2) r eturn (C 1, C 2,1,..., C 2,l, C 3) Dec(sk (id1,...,id l ), C): Parse sk (id1,...,id l ) as (sk 0,..., sk l ) Parse C as (C 1, C 2,1,..., C 2,l, C 3) m C 3 eturn m li=1 ê(sk i,c 2,i ) ê(c 1,sk 0 ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 21 / 33
Outline 1 Introduction 2 HIBE definition Syntax Security notions 3 HIBE schemes Boneh-Boyen HIBE Boneh-Boyen-Goh HIBE Waters HIBE 4 Security of BB Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 22 / 33
BDDH security of BB HIBE scheme Theorem Let BB refer to the Boneh-Boyen HIBE scheme described above, G be a pairing parameter generator, and A be an adversary against IND-sHID-CPA security of BB, making at most a single query to the L procedure. Then, there exists an adversary B against the BDDH problem relative to G, whose running time is that of A and such that Adv s-ind-cpa BB,L,A (k) 2 Advbddh (B). G,k Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 23 / 33
Security proof of BB scheme Proof will define a sequence of five games (G 0,..., G 4 ). For simplicity, we omit the pairing parameter generation in Initialize. We assume that id has length L. j denotes the smallest index such that id j id j in L procedure. G 0 : This game is the real attack game against BB. G 1 : We change the computation of H i,b so that H id i i,0 H i,1 = g α i for a random α i. G 2 : We change the simulation of the key derivation procedure KeyDer so that the game answers these queries without the knowledge of the master secret key. G 3 : We change the simulation of the L procedure so that C 2,i = C 1 α i. That is, we don t need to know t to compute it. G 4 : We change the simulation of the L procedure so that K is chosen uniformly at random. Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 24 / 33
Game G 0 proc Initialize(k, L, id ) β {0, 1} g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; b = 0, 1 do h i,b Z p ; H i,b g h i,b mpk (g, A, B, H 1,0,..., H L,1 ) msk g ab eturn mpk proc Finalize(β ) eturn (β = β) Game G A 0 proc L(m0, m1 ) parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i (H id i i,0 H i,1) t K ê(a, B) t C3 mβ K eturn (C 1, (C 2,1,..., C 2,l ), C 3) proc KeyDer(id) parse id as (id 1,..., id l ) for i = 1,..., l do r i Z p ; sk i g r i sk 0 g ab l i=1 (Hid i i,0 H i,1) r i eturn (sk 0,..., sk l ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 25 / 33
Game G 1 proc Initialize(k, L, id ) β {0, 1} g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; do α i α i Z p ; H i,0 B α i Z p ; H i,1 g α i B id i α i mpk (g, A, B, H 1,0,..., H L,1 ) msk g ab eturn mpk proc Finalize(β ) eturn (β = β) Game G A 1 proc L(m0, m1 ) parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i (H id i i,0 H i,1) t K ê(a, B) t C3 mβ K eturn (C 1, (C 2,1,..., C 2,l ), C 3) proc KeyDer(id) parse id as (id 1,..., id l ) for i = 1,..., l do r i Z p ; sk i g r i sk 0 g ab l i=1 (Hid i i,0 H i,1) r i eturn (sk 0,..., sk l ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 26 / 33
Game G 2 proc Initialize(k, L, id ) β {0, 1} g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; do Z p ; H i,0 B α i α i α i Z p ; H i,1 g α i B id i α i mpk (g, A, B, H 1,0,..., H L,1 ) msk g ab eturn mpk proc Finalize(β ) eturn (β = β) Game G A 2 proc L(m0, m1 ) parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i (H id i i,0 H i,1) t K ê(a, B) t C3 mβ K eturn (C 1, (C 2,1,..., C 2,l ), C 3) proc KeyDer(id) parse id as (id 1,..., id l ) for i = 1,..., j 1, j + 1,..., l do Z p ; sk i g r i r j r i Z p ; sk i g r j A 1/(α j (id j id j )) sk 0 A α j /(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i eturn (sk 0,..., sk l ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 27 / 33
Game G 3 proc Initialize(k, L, id ) β {0, 1} g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; do Z p ; H i,0 B α i α i α i Z p ; H i,1 g α i B id i α i mpk (g, A, B, H 1,0,..., H L,1 ) msk g ab eturn mpk proc Finalize(β ) eturn (β = β) Game G A 3 proc L(m 0, m 1 ) parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i C 1 α i K ê(a, B) t C3 mβ K eturn (C 1, (C 2,1,..., C 2,l ), C 3) proc KeyDer(id) parse id as (id 1,..., id l ) for i = 1,..., j 1, j + 1,..., l do r i Z p ; sk i g r i r j Z p ; sk i g r j A 1/(α j (id j id j )) sk 0 A α j /(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i eturn (sk 0,..., sk l ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 28 / 33
Game G 4 proc Initialize(k, L, id ) β {0, 1} g G a Z p ; A g a b Z p ; B g b for i = 1,..., L; do Z p ; H i,0 B α i α i α i Z p ; H i,1 g α i B id i α i mpk (g, A, B, H 1,0,..., H L,1 ) msk g ab eturn mpk proc Finalize(β ) eturn (β = β) Game G A 4 proc L(m 0, m 1 ) parse id as (id 1,..., id l ) t Z p ; C 1 g t for i = 1,..., l do C 2,i C 1 α i K G C3 mβ K eturn (C 1, (C 2,1,..., C 2,l ), C 3) proc KeyDer(id) parse id as (id 1,..., id l ) for i = 1,..., j 1, j + 1,..., l do r i Z p ; sk i g r i r j Z p ; sk i g r j A 1/(α j (id j id j )) sk 0 A α j /(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i eturn (sk 0,..., sk l ) Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 29 / 33
Probability analysis Claim 1 Adv s-ind-cpa BB,L,A (k) = 2 Pr [ G A 0 = true ] 1 Claim 2 Pr [ G A 1 = true ] = Pr [ G A 0 = true ] Claim 3 Pr [ G A 2 = true ] = Pr [ G A 1 = true ] Claim 4 Pr [ G A 3 = true ] = Pr [ G A 2 = true ] Claim 5 Pr [ G A 4 = true ] Pr [ G A 3 = true ] Adv bddh G,k (B) Claim 6 Pr [ G A 4 = true ] = 1/2 It s straightforward to verify that the security theorem follows from the claims above. Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 30 / 33
Proof of Claims 1, 2, 4, and 6 Claim 1 follows the security definition. Claim 2 follows from the fact that H i,b is still uniformly distributed in G. Claim 4 follows from the fact that C 2 C 2,i = (H id i i,0 H i,1) t = ((B α i ) id i g α i B id i α i ) t = g α i t = C 1 α i is still being correctly computed. Claim 6 follows from the fact that A has no information about β in G 4. Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 31 / 33
Proof of Claim 3 Claim 3 follows from the fact that (sk 0,..., sk l ) is still a valid random secret key for user id = (id 1,..., id l ), where r j = r j a/(α j (id j id j )) is the randomness being used to generate sk j. sk j = g r j = g r j a/(α j (id j id j )) = g r j g a/(α j (id j id j )) = g r j A 1/(α j (id j id j )) sk 0 = g ab (H id j j,0 H j,1) r j j 1 i=1 (Hid i i,0 H i,1) r i l i=j+1 (Hid i i,0 H i,1) r i = g ab ((B α j ) id j g α j B id j α j ) a/(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i = g ab ((g bα j ) id j g α j g bid j α j ) a/(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i = g ab (g bα j (id j bid j ) g α j ) a/(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i = g ab g ab (g α j ) a/(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i = A α j /(α j (id j id j )) l i=1 (Hid i i,0 H i,1) r i Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 32 / 33
Proof of Claim 5 In order to prove Claim 5, we need to build an adversary B against the BDDH problem. Let (G, g, A, B, C, Z) be the input of B. To simulate procedure Initialize, B sets H i,0 = B α i and H i,1 = g α i B id i α i for random α i, α i and returns mpk = (g, A, B, H 1,0,..., H L,1 ) as the public key. When simulating procedure L, B sets C 1 = C, C 2,i = C 1 α i, and K = Z. B simulates procedures KeyDer and Finalize exactly as in G 3. When B is being executed in Game Exp bddh-0 G,k (B), B simulates G 3 to A. That is, Pr [ G A 3 = true ] = Pr [ Exp bddh-0 G,k (B) = true ]. When B is being executed in Game Exp bddh-1 G,k (B), B simulates G 4 to A. That is, Pr [ G A 4 = true ] = Pr [ Exp bddh-1 G,k (B) = true ]. The claim follows. Michel Abdalla (ENS & CNS) Hierarchical identity-based encryption September 26, 2011 33 / 33